Fix guide · low · internal_ip_in_client

Private / internal IP address in client code

Why it matters

Reveals information about your internal network — backend hostnames, on-prem services, or VPN ranges. Useful for attacker reconnaissance if they ever get a foothold inside.

How to fix it

1. Search your codebase for the IP. It's often a leftover from local dev (127.0.0.1, localhost).
2. Replace with environment-aware config — use process.env.API_BASE_URL rather than hardcoded IPs.
3. For unavoidable internal references, redact them in production builds via your build's env-var substitution.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.