Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
WarningAccess Control

Leftover test, seed, and debug API routes in production

Debug endpoints are API routes built for local development or testing, like seeding the database or sending a test email, that get committed and deployed alongside the real app without anyone deciding they should be public.

#What goes wrong

While building a feature, it's normal to ask your AI editor for a quick /api/seed or /api/test-email route to check that something works. It does its job locally and then stays in the repo, unprotected, because nobody circles back to remove it before shipping.

#Why it matters

Anyone who discovers one of these routes, often by guessing common names or finding them in a client-side bundle, can trigger whatever the route does. A seed route can wipe or overwrite real data. A test-email route can be used to spam or to burn through your email provider's quota.

#How Heimdall checks for this

Heimdall looks through your API routes for names that suggest a development or testing purpose, like seed, test, debug, or dev, and checks whether they're gated behind authentication or an environment check.

#How to fix it

Delete debug routes before shipping to production. If you need to keep one for staging, gate it behind both an admin-only check and a check that process.env.NODE_ENV isn't 'production' so it can't run in the live environment.

Frequently asked questions

Should I keep these routes for a staging environment?

What if the route name isn't obviously a debug route?

Is a route safe if I never documented it?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 29 other issues in under a minute.