criticalExposed Secrets

Stripe API Keys Committed to Source Code

What Is This Vulnerability?

Stripe API keys (both publishable and secret keys) are embedded directly in application source code. When this code is pushed to a repository, anyone with access can extract the keys and make unauthorized charges, issue refunds, or access sensitive customer payment data through the Stripe API.

Why It Happens

Developers often hardcode Stripe keys during initial setup or prototyping and forget to move them to environment variables before committing. Copy-pasting from Stripe dashboard quickstart guides without adapting the code for production use is another common cause.

Example Code

Vulnerablepayment.ts
const stripe = require("stripe")("sk_live_4eC39HqLyjWDarjtT1zdp7dc");

async function chargeCustomer(customerId: string, amount: number) {
  return stripe.charges.create({
    amount,
    currency: "usd",
    customer: customerId,
  });
}
Fixedpayment.ts
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY);

async function chargeCustomer(customerId: string, amount: number) {
  if (!process.env.STRIPE_SECRET_KEY) {
    throw new Error("STRIPE_SECRET_KEY is not configured");
  }
  return stripe.charges.create({
    amount,
    currency: "usd",
    customer: customerId,
  });
}

How Hackers Exploit It

Attackers scan public repositories using automated tools that detect Stripe key patterns (sk_live_ and rk_live_ prefixes). Once found, they can process fraudulent charges, access customer data, modify account settings, and drain funds. Bots continuously scrape GitHub for newly committed secrets.

How to Fix It

Store Stripe keys in environment variables or a dedicated secrets manager such as AWS Secrets Manager or HashiCorp Vault. Add .env to your .gitignore file. Use Stripe restricted keys with only the permissions your application needs. Rotate any key that has ever been committed to version control.

Frequently Asked Questions

How do I know if my Stripe key has been leaked?
Check your Stripe dashboard for unexpected API activity. Use GitHub secret scanning alerts and tools like truffleHog or gitleaks to scan your repository history. Stripe also sends email notifications if it detects your keys in public repositories.
Is the publishable key safe to commit?
Stripe publishable keys (pk_live_) are designed to be used in client-side code and are not as sensitive as secret keys. However, it is still best practice to load them from environment variables so you can rotate them without code changes and keep test and production keys separate.
What should I do if my Stripe secret key was committed?
Immediately rotate the key in your Stripe dashboard. Revoking the old key prevents further misuse. Then remove the key from your code, use environment variables instead, and audit your Stripe logs for any unauthorized transactions.
Can I use restricted API keys to limit damage?
Yes. Stripe restricted keys let you grant only specific permissions (for example, read-only access to charges). Even if a restricted key leaks, the attacker can only perform the actions you allowed, significantly reducing the blast radius.

Related Security Topics

GitHub Personal Access Token Leaked in Code

Learn about github personal access token leaked in code and how to fix it.

AWS Access Keys Committed to Source Code

Learn about aws access keys committed to source code and how to fix it.

JWT Signing Secret Hardcoded in Application Source

Learn about jwt signing secret hardcoded in application source and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by stripe api keys committed to source code.