All fix guides
WarningSecurity & HTTPS

How to Remove Sensitive HTML Comments

Your audit found HTML comments in the page's raw source that expose internal detail: server file paths, internal IP addresses, CMS or plugin version numbers, TODO/FIXME notes, or references to staging and debug environments. These comments are invisible on the rendered page but sit in plain text in every response your server sends, so any visitor, scraper, or AI crawler that fetches the raw HTML can read them. This is a passive information-disclosure warning, not proof of a breach, and the fix is to stop shipping internal notes to production and strip comments at build time.

What this means

An HTML comment (<!-- like this -->) never renders on screen, but it is not hidden from anything that reads the response body instead of the rendered page. "View Source" in any browser shows it, curl shows it, and so does every crawler that fetches your HTML directly. The sensitive_html_comment check scans your page's raw source for comment blocks and flags the ones that look like they carry internal or sensitive detail rather than harmless markup notes.

What typically trips this check: filesystem paths (Unix-style paths like /var/www/html/ or /home/deploy/, or a Windows path under inetpub), private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x), developer shorthand (TODO, FIXME, HACK, "remove before launch", "don't tell client"), credential-shaped strings (password, api_key, secret, token), CMS or plugin/theme version banners, and mentions of staging, dev, or internal hostnames.

Not every comment is a problem. <!-- start hero section --> or <!-- Google Tag Manager --> are structural markers and get left alone; they carry no information an attacker or competitor could use. The finding is specifically about comments that leak something internal, and it's a warning rather than a critical error because reading a comment isn't itself an exploit. No code executes and no data is stolen just because the text is present.

Worth being upfront about: this check is pattern-based, so it will occasionally flag something borderline, a TODO about page copy rather than code, or a version string that's already public elsewhere. Treat a flag as a prompt to review the comment, not an automatic verdict that your site is compromised.

Why it matters

Information disclosure is a reconnaissance tool, not an exploit by itself, but it shortens the distance to one. A comment that names an exact CMS, plugin, or theme version tells an attacker precisely which known vulnerabilities to try, skipping the guesswork of fingerprinting your stack first. Internal IPs and file paths reveal your server layout and OS, which narrows what they need to probe. Penetration testers flag this category of finding constantly for exactly this reason: none of it is a breach, all of it makes a real breach easier if another weakness exists.

Occasionally a comment holds more than a note, an actual API key or password pasted in during debugging and forgotten. If that's what triggered this flag, treat it as more urgent than general hygiene: rotate the credential immediately, then remove the comment. A leaked secret doesn't become safe just because it's easy to fix in hindsight.

The angle specific to AI crawlers is worth understanding on its own terms. Bots like GPTBot, ClaudeBot, PerplexityBot, and CCBot fetch the raw HTML response the same way curl does; they don't render the page in a browser that visually discards comments the way a human reader's eyes skip past invisible markup. Whatever sits in a comment is exactly what these systems receive, and it can persist in whatever index, cache, or training pipeline consumes that fetch. Invisible on the page and invisible to machines are not the same thing, and comments are a common place people forget that.

To be clear about what this isn't: Google does not rank pages down for having HTML comments, and this finding has no direct SEO effect. The value of fixing it is entirely security hygiene, reducing what a stranger can learn about your stack for free, not search visibility.

How to fix it

  1. 1

    Audit what's actually shipped, not just your source files

    View-source or run curl -s https://yoursite.com/page | grep -i '<!--' on the live, production page, not your local editor. Read every comment against the categories above: paths, internal IPs, credentials, version strings, staging references, and TODO/FIXME notes. A dev build and a production build can differ, so check what's actually served.

  2. 2

    Strip comments as part of your build or minification step

    HTML minifiers like html-minifier-terser remove comments by default when removeComments: true is set, and most static site generators and bundlers strip them in production mode. Confirm yours actually does, since some frameworks only minify JS and CSS and leave hand-written HTML comments, including ones injected by a CMS field, untouched. Apply the same treatment to JS (Terser's comments: false) and CSS (cssnano), since developer notes hide in those files just as often.

  3. 3

    Remove or relocate the source comment itself

    Minification only hides comments from the shipped output; the source still has them, and a build misconfiguration or a different deploy path can let them through again. For a plugin or theme's self-announcing comment ("Generated by X v1.2.3"), check its settings; many let you disable the version banner outright. For genuine developer notes, move them into your actual codebase comments, which live server-side and never reach the browser, or your issue tracker, not into markup the client receives.

  4. 4

    Add a pre-deploy check so it doesn't come back

    A one-line CI step catches regressions cheaply: grep your build output for common sensitive patterns (a private-IP regex, "TODO", "password", "api_key", your staging hostname) and fail the build if any match. This turns "we noticed it in an audit" into "it never shipped," and it's far cheaper than re-auditing periodically by hand.

  5. 5

    Re-crawl and confirm the live source is clean

    After deploying, view-source or curl the live page again and confirm the flagged comments are gone. Purge any CDN or page cache that might still be serving the old response, then re-run the audit. If a comment contained a real credential, confirm separately that the rotated key is live everywhere it's used before you consider the incident closed.

Example

<!-- BEFORE: shipped in production, visible to anyone who views source -->
<!-- TODO: remove hardcoded test key before launch: api_key=sk_test_51H... -->
<!-- staging DB at 10.0.4.12, user: admin -->
<!-- Generated by AwesomePlugin v3.2.1 -->
<div class="hero">...</div>

<!-- AFTER: internal notes removed; structural comments are fine to keep -->
<!-- start hero section -->
<div class="hero">...</div>

Comments that leak internal detail versus a harmless structural comment left in place.

Platform-specific steps

WordPress

Page builders (Elementor, Divi, Beaver Builder) and some plugins leave editor comments or version banners in the rendered output; check your theme's functions.php and any plugin settings for a "remove generator tag" or "disable comments" option. Confirm WP_DEBUG output and Query Monitor data are never dumped into production HTML, only into logs or a dev environment.

Shopify

Developer comments often survive in theme.liquid and section files: old snippet IDs, internal notes, or a previous developer's shorthand. Review your theme code under Edit Code before publishing, since Shopify doesn't strip Liquid template comments automatically.

Static sites / Next.js / build tools

Add an explicit HTML-minification step if your pipeline doesn't already include one; production builds reliably strip JS/CSS comments but don't always touch comments written directly into a custom _document or server-rendered template string. Configure html-minifier-terser with removeComments: true as part of your deploy script.

Frequently asked

Does this finding mean my site has been hacked?

No. It means the audit found comments in your page's source that reveal internal detail, which is a hygiene finding about what you're exposing, not evidence that anyone has broken in. The one exception is if a comment contains an actual working credential; treat that specific case as urgent and rotate the key regardless of whether you believe anyone has seen it.

Will sensitive HTML comments hurt my Google ranking?

No. This isn't a ranking factor, and Google doesn't penalize pages for having HTML comments. The reason to fix it is security hygiene, reducing what a stranger can learn about your server and software from a free, public view-source, not search visibility.

Are all HTML comments a security problem?

No. Structural comments that just label a section, like marking where a footer starts, are harmless and aren't what this check targets. The issue is specifically comments containing internal paths, IPs, credentials, version numbers, or staging references: information that helps someone map your infrastructure or target a known vulnerability.

Do AI crawlers and scrapers actually read HTML comments?

Yes. Most AI bots, including GPTBot, ClaudeBot, and PerplexityBot, fetch the raw HTML response rather than a rendered browser view, so anything inside a comment is included in what they download. A comment being invisible on the rendered page doesn't make it invisible to an automated fetch.

Does your site have this issue?

Run a free, AI-powered audit and we’ll flag this and 150+ other checks in about a minute. No signup.

No signup needed. Results in under 60 seconds.

Related fixes