Skip to content

Information Disclosure: Exposed Config File¶

Identifier: exposed_config_file

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

JavaScript configuration objects exposed on the window object may reveal sensitive information such as API endpoints, authentication tokens, feature flags, internal service URLs, and other configuration details that attackers can access through browser DevTools.

How we test: We analyze client-side JavaScript code and page sources to detect if configuration objects are exposed on the window object (e.g., window.config, window.env, window.settings). We check for sensitive data such as API keys, tokens, or internal URLs that should not be exposed to client-side code.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  exposed_config_file:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.