Check whether a website is accidentally leaking API keys, credentials, or sensitive files
This tool scans a site for the most common ways secrets get exposed by mistake: publicly
reachable .env files, exposed .git folders, leftover backups and
database dumps, and API keys or tokens hardcoded into the page's HTML or JavaScript. Any secret
it finds is masked — you'll see enough to locate and rotate it, never the full value.
To keep this tool strictly self-service, you can only scan a domain after proving you control it:
you'll be asked to publish a small tools-ninja-verify.txt file at the site's root —
exactly like an ads.txt. If the file isn't there, the scan won't run.
Scanning — checking sensitive paths and linked scripts…