ShieldScan
acme-goods.myshopify.com
Acme Goods has 3 security issues requiring attention — including a critical exposed API key.
Wed, May 20 · 06:55 AM
Critical
1
High
1
Medium
1
Total
3
Security checks performed
10 checksStore configuration
Acme Goods · Shopify Plus plan
Theme library
3 themes reviewed · 1 unpublished · 1 published
Theme code security
1 suspicious pattern found in active theme
App permissions
8 read-only scopes · no write access
Injected scripts
4 scripts · all HTTPS · 2 from third-party domains
Storefront access
Publicly accessible — no password page
HTTP security headers
4 of 6 headers present · 2 missing
GDPR compliance webhooks
All 3 compliance webhooks registered
Deep virus scan
28 files scanned — no threats detected
API keys & secrets scan
1 exposed secret found in theme files
Findings
What was found
A Stripe secret key (sk_live_) was found hardcoded in assets/checkout.js.
Why this matters
A stolen Stripe secret key gives full access to your Stripe account — attackers can issue refunds, read customer payment data, and transfer funds.
How to fix it
Immediately rotate the Stripe key from your Stripe dashboard. Remove it from the theme file and store it as a server-side environment variable instead.