Skip to content

blog

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

blog

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
analytics-trackers-risk-signals
analytics-trackers-risk-signals
 
 
audit-browser-visible-integrations
audit-browser-visible-integrations
 
 
browser-based-recon-workflow-modern-web-apps
browser-based-recon-workflow-modern-web-apps
 
 
browser-request-patterns-third-party-risk
browser-request-patterns-third-party-risk
 
 
build-browser-evidence-package-for-security-review
build-browser-evidence-package-for-security-review
 
 
cloudflare-marketing-vs-dashboard-boundaries
cloudflare-marketing-vs-dashboard-boundaries
 
 
extension-vs-devtools-request-inspection
extension-vs-devtools-request-inspection
 
 
false-positives-exposed-secrets-frontend
false-positives-exposed-secrets-frontend
 
 
frontend-leakage-signals-without-false-certainty
frontend-leakage-signals-without-false-certainty
 
 
frontend-security-audit-checklist
frontend-security-audit-checklist
 
 
github-public-frontend-footprints
github-public-frontend-footprints
 
 
hardcoded-ai-service-credentials-client-side
hardcoded-ai-service-credentials-client-side
 
 
hidden-external-service-dependencies-browser-signals
hidden-external-service-dependencies-browser-signals
 
 
how-to-assess-debug-endpoints-and-dev-paths-from-frontend-artifacts
how-to-assess-debug-endpoints-and-dev-paths-from-frontend-artifacts
 
 
how-to-detect-exposed-api-keys-in-frontend-javascript
how-to-detect-exposed-api-keys-in-frontend-javascript
 
 
how-to-find-exposed-api-keys-in-frontend
how-to-find-exposed-api-keys-in-frontend
 
 
how-to-review-graphql-endpoints-from-browser-evidence
how-to-review-graphql-endpoints-from-browser-evidence
 
 
how-to-scan-javascript-bundles-for-secrets
how-to-scan-javascript-bundles-for-secrets
 
 
how-to-tell-if-a-client-side-token-is-just-session-state-or-a-real-exposure
how-to-tell-if-a-client-side-token-is-just-session-state-or-a-real-exposure
 
 
how-to-verify-source-map-exposure-without-overclaiming
how-to-verify-source-map-exposure-without-overclaiming
 
 
how-to-verify-whether-a-browser-visible-api-key-is-restricted
how-to-verify-whether-a-browser-visible-api-key-is-restricted
 
 
inspect-ai-enabled-sites-integration-clues
inspect-ai-enabled-sites-integration-clues
 
 
inspect-fetch-xhr-traffic-security-triage
inspect-fetch-xhr-traffic-security-triage
 
 
inspect-suspicious-outbound-requests
inspect-suspicious-outbound-requests
 
 
investigate-suspicious-javascript-bundles
investigate-suspicious-javascript-bundles
 
 
leaked-endpoints-passive-recon
leaked-endpoints-passive-recon
 
 
manual-review-vs-automated-detection-frontend
manual-review-vs-automated-detection-frontend
 
 
package-browser-request-evidence
package-browser-request-evidence
 
 
passive-scanning-vs-active-probing-frontend-review
passive-scanning-vs-active-probing-frontend-review
 
 
real-signals-client-side-secret-exposure
real-signals-client-side-secret-exposure
 
 
review-asset-loading-behavior-recon
review-asset-loading-behavior-recon
 
 
review-client-side-feature-flags-hidden-service-dependencies
review-client-side-feature-flags-hidden-service-dependencies
 
 
review-script-loaded-assets-hidden-dependencies
review-script-loaded-assets-hidden-dependencies
 
 
separate-noisy-browser-traffic-from-security-signals
separate-noisy-browser-traffic-from-security-signals
 
 
shopify-marketing-vs-product-frontend
shopify-marketing-vs-product-frontend
 
 
source-map-false-positives-what-looks-scary-but-isnt-proof
source-map-false-positives-what-looks-scary-but-isnt-proof
 
 
source-maps-and-frontend-artifacts
source-maps-and-frontend-artifacts
 
 
stripe-dashboard-sourcemaps
stripe-dashboard-sourcemaps
 
 
suspicious-api-calls-what-they-prove
suspicious-api-calls-what-they-prove
 
 
trace-third-party-script-chains-before-calling-them-risky
trace-third-party-script-chains-before-calling-them-risky
 
 
trello-atlassian-chunk-discipline
trello-atlassian-chunk-discipline
 
 
verify-ai-web-app-provider-credential-leakage
verify-ai-web-app-provider-credential-leakage
 
 
verify-suspicious-endpoint-reachability
verify-suspicious-endpoint-reachability
 
 
when-browser-evidence-needs-manual-review
when-browser-evidence-needs-manual-review
 
 
why-browser-side-evidence-still-matters
why-browser-side-evidence-still-matters
 
 
why-public-endpoints-are-signals-not-proof
why-public-endpoints-are-signals-not-proof
 
 
yahoo-front-end-architecture
yahoo-front-end-architecture
 
 
README.md
README.md
 
 

README.md

SourceDetector Blog Lane

Goal

Publish one high-signal English article every 6 hours to the GitHub Pages site under docs/blog/, then update the homepage entry when appropriate.

Content principles

  • Not shallow news reposts.
  • Must contain an original technical angle, not just "site X exposes source maps".
  • Must naturally increase desire to use SourceDetector.
  • Must stay evidence-based and avoid exploit-style operational detail.
  • Tone: geeky, sharp, opinionated, interesting, calm.

Article pattern

  1. Pick one publicly observable front-end / client-side artifact pattern.
  2. Build one central thesis with independent judgment.
  3. Use 2-5 concrete public evidence points.
  4. Explain why it matters for architecture / security / engineering operations.
  5. Convert curiosity into product pull for SourceDetector.
  6. Publish under docs/blog/<slug>/index.html.
  7. Add or rotate a homepage entry in docs/index.html.
  8. Commit, push, and verify Pages deployment.

Hard guardrails

  • Do not claim a breach unless there is direct evidence.
  • Public source maps are evidence of exposure, not automatic compromise.
  • Prefer architecture insight, operational tradeoff, and engineering lessons.
  • End with a natural CTA to install SourceDetector.

Minimum delivery proof

  • New blog URL/path
  • Commit hash
  • Push success
  • Pages deployment check or GitHub workflow evidence