Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
WarningInfrastructure

Hardcoded localhost and development URLs in your code

This check looks for web addresses, most often localhost or a local dev server port, written directly into your source code instead of read from an environment variable or config setting.

#What goes wrong

While building a feature, it's easiest to point a fetch call or a redirect at a local address and move on. It works during development because that's genuinely where the app is running, and it's easy to forget to swap it out before deploying.

#Why it matters

Once deployed, a hardcoded localhost URL points nowhere real. Login redirects fail, webhook callbacks never arrive, and links in emails take users to their own laptop instead of your production app. These bugs are especially confusing because they only show up after deployment, not in local testing.

#How Heimdall checks for this

Heimdall scans your codebase for literal localhost addresses or common local dev ports written directly into URLs, and flags any that aren't clearly limited to a local-only code path.

#How to fix it

Replace hardcoded URLs with a value read from an environment variable, like NEXT_PUBLIC_APP_URL, set differently for local development and production. Most frameworks, including Next.js, have a standard convention for this.

Frequently asked questions

Is localhost ever fine to leave in the code?

Why does this happen with AI-generated code specifically?

How do I catch this before deploying?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 29 other issues in under a minute.