Will It Vibe logoWill It Vibe?
SECRET-040High severity-15 points

HTTP basic-auth credentials in URL

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

An http(s):// URL embeds user:password basic-auth credentials. The password travels in the URL, which lands in logs, browser history, and referer headers.

Why it matters

An http(s):// URL with user:password basic-auth credentials leaks the password into logs, browser history, proxy records, and referer headers, because the whole URL travels with the request. It is committed here on top of that. Anyone who reads the repo gets the credential.

How to fix it

Send basic-auth credentials in an Authorization header built from environment variables, not in the URL. Read the values at runtime. Rotate the exposed credential with the service afterward.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks