Fix guide · medium · html_comment_leak

HTML comment with developer note

What this rule means

An HTML comment in your page contains TODO, FIXME, staging password, or other developer-shaped notes.

Why it matters

These end up in production by accident. Common shapes: "<!-- TODO: replace API_KEY before launch -->", "<!-- staging admin password is ... -->", "<!-- old auth — remove after migration -->". Each is an attacker hint at minimum, a credential at worst.

How to fix it

  1. Search your built output for HTML comments containing TODO, FIXME, password, credential, secret, internal.
  2. Strip HTML comments from production builds. Most build tools support this — Vite has a plugin, Webpack has html-minifier-terser, Next.js minifies by default.
  3. Code review for source comments before shipping — leave them in source, not in output.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.

Run another inspection

Related fix guides