When requesting a web application, the server usually sends code (in HTML, CSS, Javascript...) in the response. This code is then rendered by the web browser. Web developers sometimes forget that this code is not protected, hence leaving sensitive comments in it.