NEW Now scanning for AI prompt leaks

Website Exposed Files Scanner

We scan 189 paths for exposed .env files, API keys, and AI system prompts. Find out what attackers can see in seconds. Free and no signup.

Free, no signup 🔒 189 paths checked ~15 seconds
Is this safe? Yes, we only make lightweight HTTP requests to publicly accessible URLs. No invasive testing, no data stored, and your site won't even notice.
Use our exposed env file checker and website security scanner to quickly check if your domain is leaking secrets. Don't let attackers find an exposed api keys website or env file exposed online before you do. We also include a .git exposure checker and AI prompt leak detector.
0
Domains Scanned
0
Exposures Found
0
Critical Issues
0
Paths Checked

What Our Security Scanner Detects

We check 9 categories of sensitive files across 189 common paths.

Category Files Checked Risk Level Paths
AI / LLM Files SKILL.md, .cursorrules, CLAUDE.md, system prompts HIGH 36 paths
Secrets & Env Files .env, API keys, Firebase config, AWS credentials CRITICAL 27 paths
Git Exposure .git/config, HEAD, refs CRITICAL 10 paths
Package & Build package.json, Dockerfile, netlify.toml MEDIUM 31 paths
Server Config wp-config.php, .htaccess, phpinfo HIGH 19 paths
Backups & Debug SQL dumps, error logs, .DS_Store HIGH 22 paths

How It Works

A simple, non-invasive process to secure your domain in seconds.

1

Enter Domain

Simply type in the domain name you want to check. No signup or installation required.

2

Fast Scanning

Our tool makes lightweight HTTP requests to 189 commonly exposed sensitive file paths.

3

Get Report

Review your findings instantly. Secure exposed files and protect your web application.

Pricing

From free scans to continuous monitoring

Free

$0
One-off scans for quick checks
  • 5 scans per day
  • All 189 paths
  • Severity ratings
  • Shareable report link
Popular

Pro

$19/mo
For developers and small teams
  • Unlimited scans
  • Weekly monitoring on 5 domains
  • Email & Slack alerts
  • File content previews
  • Scan history & trends
  • PDF reports

Agency

$79/mo
For agencies and consultants
  • Everything in Pro
  • 50 monitored domains
  • White-label PDF reports
  • Client dashboard
  • Bulk CSV scan import
  • API access

FAQ

Is it legal to scan someone else's domain?
SiteLeak only checks publicly accessible URLs, using the same requests any browser or search engine crawler makes. We don't exploit vulnerabilities, bypass authentication, or access private systems. That said, we recommend only scanning domains you own or have permission to test.
Is it safe to run a scan on my website?
Yes, 100% safe. SiteLeak is a passive, non-invasive scanner. It only checks publicly accessible URLs using standard HTTP requests (identical to what Google's crawler or any search engine does) to see if specific files exist. It does not perform active hacking, exploit code vulnerabilities, or load your server down, meaning there is zero risk to your site's speed, uptime, or security.
Will you store or share my scan results?
Scan results are stored securely so you can revisit or share your report via its unique link. Your findings are yours; we don't sell or share them, and you can request their deletion at any time.
What exactly do you scan for?
We check 189 common vulnerability paths including .env files, .git histories, wp-config.php, internal AI prompts, .DS_Store files, and various other debug and configuration files that attackers look for.
Does the free scan affect my site's performance?
Not at all. The scan acts like a regular web browser, simply making fast HTTP requests to known vulnerable paths. It does not perform invasive attacks or heavy fuzzing.
What's the difference between this and a full penetration test?
SiteLeak checks for passive file exposure, looking for things accidentally left publicly accessible. A full pentest actively probes for vulnerabilities, exploits logic flaws, and requires authorization. Think of us as the first 5 minutes of what a hacker does before they get serious.
Why did my scan show a false positive?
Some servers return a 200 OK status for any URL, even ones that don't exist (called a "soft 404"). We flag these where possible, but if a result looks unexpected, try opening the URL directly in your browser to confirm.
How often should I scan my domain?
After any deployment, dependency update, or infrastructure change. Misconfigured files most often appear right after pushes. Pro users get automated weekly scans so this happens without thinking about it.
What happens when you find something exposed?
Your report shows the exact URL, file type, severity level, and a plain-English explanation of what the risk is. Pro users also see a preview of the actual file contents and a recommended fix.
Can I scan subdomains?
Yes, enter any subdomain directly (e.g. api.yourdomain.com). Each subdomain counts as a separate scan against your daily limit.
What's in the shareable report link?
Free scans generate a unique URL you can send to a client or developer without them needing an account. It shows findings, severity ratings, and remediation notes. Pro reports are also exportable as PDF.
How does continuous monitoring work?
When you upgrade to Pro, we automate the scans to run weekly. If a new exposed file is discovered, we instantly send an alert to your email and Slack channel.
What is an exposed .env file and why is it dangerous?
A .env file stores environment variables such as database passwords, API keys, and secret tokens. If publicly accessible, an attacker can use those credentials to access your database, cloud storage, email service, or payment processor within minutes.
What is Git directory exposure?
If a .git folder is left accessible on a web server, attackers can reconstruct your entire source code, including commit history and any secrets that were ever committed, even if they were deleted later.

See what attackers can see on your domain

Run a free exposure scan in under 15 seconds. No signup required.