Exposed Secrets Scanner

Check whether a website is accidentally leaking API keys, credentials, or sensitive files

This tool scans a site for the most common ways secrets get exposed by mistake: publicly reachable .env files, exposed .git folders, leftover backups and database dumps, and API keys or tokens hardcoded into the page's HTML or JavaScript. Any secret it finds is masked — you'll see enough to locate and rotate it, never the full value.

To keep this tool strictly self-service, you can only scan a domain after proving you control it: you'll be asked to publish a small tools-ninja-verify.txt file at the site's root — exactly like an ads.txt. If the file isn't there, the scan won't run.

Enter a domain or full URL. The scan checks the site's root and its linked scripts.

Scanning — checking sensitive paths and linked scripts…

Found this useful? Share it