Lab 2
Level 1 - Beginner
Exposed API Key in JS Lab
Level 1 Client-Side Security simulation: learn why API keys embedded in frontend JavaScript are visible to anyone who can inspect the bundle.
Beginner
Client-Side Security • 20 min
Learning Objectives
This lab is a controlled simulation only. No real backend or dangerous code execution is used.
Objective 1
Inspect a fake JavaScript snippet and identify the hardcoded secret value inside it.
Objective 2
Understand why any credential shipped to the browser should be treated as public.
Objective 3
Learn why sensitive keys belong on the server side rather than inside client bundles.
Challenge Area
Use the input fields below to safely simulate the vulnerable behavior.
Exposed API Key
Fake JS Bundle Snippet
const API_KEY = "sk_test_12345";
const API_URL = "/api/client-search";
Submitted key: (none yet)
Result Panel
Inspect the fake JavaScript snippet and enter the exposed API key that should never have been embedded in client-side code.
Hints
Reveal them progressively if you get stuck.
Click the hint button to reveal progressive guidance.