Security / Quiz
Secrets in the Wild
API keys in git, tokens in logs, secrets in the client bundle, find the leaks before an attacker (or a scanner) does.
- Difficulty
- Medium
- Format
- Quiz
- Points
- 150
- Estimate
- 8 min
// MISSION BRIEF
Your Mission
The fastest way into a system is a leaked credential. This quiz is about recognizing where secrets leak and how to test that they don't, a defensive skill every QA engineer should own.
// FIRST CONTACT
Battle teaser
A React app reads `process.env.STRIPE_SECRET_KEY` in a client component to call Stripe directly. The problem:
- AStripe keys are safe to expose
- BReact can't read env vars
- CThe secret ships in the browser bundle, anyone can read it in devtools. Secret keys must stay server-side
- DIt's fine if the repo is private
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
securitysecretsleaksrotation