Your resource for web content, online publishing
and the distribution of digital products.
Home
Newswire > Code Smell 258 - The Dangers of Hardcoding Secrets
Code Smell 258 - The Dangers of Hardcoding Secrets
«  

October

  »
S M T W T F S
 
 
1
 
2
 
3
 
4
 
5
 
6
 
7
 
8
 
9
 
10
 
11
 
12
 
13
 
14
 
15
 
16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24
 
25
 
26
 
27
 
28
 
29
 
30
 
31
 
 
 

Code Smell 258 - The Dangers of Hardcoding Secrets

Tags: api management
DATE POSTED:July 15, 2024
Hacker Noon - Medium
Original article

The Dangers of Hardcoding Secrets

TL;DR: Use a secret manager to avoid hardcoding sensitive information.

Problems
  • Security risk
  • Hard to update by operations teams
  • Code exposure
  • Data breaches
  • Audit Fails
Solutions
  1. Use a secrets manager
  2. Use Environment variables outside the code
  3. Encrypted storage
Context

Writing secrets as plain text directly into your codebase exposes your code to significant security risks.

\ Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised.

\ Use a secret manager to store and manage your secrets.

\ This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed.

Sample Code Wrong import requests api_key = "LILAS_PASTIA" response = requests.get("https://api.example.com", headers={"Authorization": f"Bearer {api_key}"}) Right import os import requests api_key = os.environ.get("API_KEY") # This is just an example. Might also be not as secure response = requests.get("https://api.example.com", headers={"Authorization": f"Bearer {api_key}"}) Detection

\

  • Automatic

You can detect this smell by searching your codebase for hardcoded strings that resemble secrets.

\ Code reviews and commercial security static analysis tools can also help identify these patterns.

Tags
  • Security
Level
  • Intermediate
AI Generation

AI code generators might create this smell if they were trained with code datasets with hardcoded secrets.

\ Always review generated code to ensure secrets are handled securely.

AI Detection

Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code.

Conclusion

Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated.

\ Many repl and public codebases have a secret manager as an external utility.

\ Make it a habit to handle all secrets with care and never let them slip into your codebase.

Relations

Code Smell 215 - Deserializing Object Vulnerability

Code Smell 189 - Not Sanitized Input

More Info

Stack Overflow

GitHub Copilot security concerns

Disclaimer

Code Smells are my opinion.

Credits

Photo by saeed karimi on Unsplash

Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.

Chris Pirillo

https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true

This article is part of the CodeSmell Series.

https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true

\

Hacker Noon - Medium
Original article
Tags: api management
Newswire > Code Smell 258 - The Dangers of Hardcoding Secrets

All Rights Reserved. Copyright , Central Coast Communications, Inc.