Public assets
Public bundles, source maps, Supabase/Firebase config, webhooks, DSNs, and JWT previews — every token-like value comes with the exact source file it leaked from.
Continuously monitor your domains, apps, APIs, public JavaScript, and exposed services. Catch new exposures before they become incidents.
acme.com · 5 root domains · 218 assets
| Severity | Finding | Asset | Seen |
|---|---|---|---|
| Critical | Exposed .env with live database URL | api.acme.com/.env | 4m ago |
| Critical | Auth bypass — API accepts JWT alg:none | api.acme.com/v1/auth | 9m ago |
| Medium | Undocumented admin API reachable | api.acme.com/internal/v2 | 1h ago |
| Medium | Staging host publicly resolvable | staging.acme.com | 3h ago |
| Low | Security headers missing on CDN host | cdn.acme.com | 1d ago |
9 open across acme.com
| Severity | Issue | Asset | State |
|---|---|---|---|
| Critical | Exposed .env with live database URL | api.acme.com/.env | Open |
| Critical | Auth bypass — API accepts JWT alg:none | api.acme.com/v1/auth | Open |
| High | Admin panel reachable without auth | admin.acme.com | Open |
| High | Subdomain takeover candidate | blog.acme.com | Triaging |
| Medium | Undocumented admin API reachable | api.acme.com/internal/v2 | Open |
| Medium | Staging host publicly resolvable | staging.acme.com | Triaging |
Ask about exposure changes and what to fix next
5 exposed in public assets on acme.com
| Severity | Secret | Source |
|---|---|---|
| High | AWS access key (long-lived IAM)AKIAQ4F7XKZ2NB6QF3J · wJalrXUtnFEMI…bPxRfiCY | /assets/config.4c2.js |
| Medium | Supabase anon keysb_pub_3f9a1c7e…e21 | /assets/vendor.4c2.js |
| Medium | Stripe webhook secretwhsec_9c41…2d | /api/checkout.js |
| Low | Sentry DSNhttps://a1b2c3…@o42.ingest.sentry.io | /assets/app.8f1c.js |
| Low | Google Maps API keyAIzaSyB7…Xk | /index.html |
New secrets, API routes, reachable services, header drift, and JWT risks are separated from old findings.
Each item keeps the affected host, source file, matched context, first seen time, and recheck path.
States, alerts, PDF proof, and targeted rechecks turn exposure review into an owner-ready packet.
Review loop
AI-assisted shipping means public apps change constantly: new routes, client config, JavaScript bundles, and services appear between releases. Surface Drift keeps checking approved domains and hands you the security-relevant changes that need review.
Public bundles, source maps, Supabase/Firebase config, webhooks, DSNs, and JWT previews — every token-like value comes with the exact source file it leaked from.
New routes, GraphQL hints, reachable hosts, staging surfaces, and admin panels — the services that actually matter, pulled out of the static-asset noise.
TLS, DNS, and security-header drift, changed assets, finding states, PDF evidence, and a targeted recheck that verifies the fix once you ship it.
Capabilities
Scope
AI-assisted shipping can add new routes, client config, JavaScript chunks, and reachable services faster than anyone reviews them manually. Each run compares the live surface against the last known state and pulls out changes with security impact.
Secrets
JavaScript secrets, Supabase/Firebase exposure, webhook URLs, DSNs, and JWT previews are grouped with evidence attached.
Discovery
Owned API routes, GraphQL hints, staging exposure, admin surfaces, and sensitive services stay separate from CDN and image noise.
Handoff
States, PDF evidence, alerting, and recheck history keep cleanup moving without a separate spreadsheet.
Pricing
Each plan watches your public app and turns risky changes into clear action items.
For founders who need recurring, source-level coverage across one live product surface.
For teams shipping frequently that need daily drift detection and stronger validation before handoff.
For larger public surfaces that need broader validation, higher quota, and account-level summary.
Surface Drift