Security / Quiz

Secrets in the Wild

API keys in git, tokens in logs, secrets in the client bundle, find the leaks before an attacker (or a scanner) does.

Difficulty
Medium
Format
Quiz
Points
150
Estimate
8 min

// MISSION BRIEF

Your Mission

The fastest way into a system is a leaked credential. This quiz is about recognizing where secrets leak and how to test that they don't, a defensive skill every QA engineer should own.

// FIRST CONTACT

Battle teaser

A React app reads `process.env.STRIPE_SECRET_KEY` in a client component to call Stripe directly. The problem:

  1. AStripe keys are safe to expose
  2. BReact can't read env vars
  3. CThe secret ships in the browser bundle, anyone can read it in devtools. Secret keys must stay server-side
  4. DIt's fine if the repo is private
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

securitysecretsleaksrotation