This content originally appeared on HackerNoon and was authored by Maximiliano Contieri
The Dangers of Hardcoding Secrets
TL;DR: Use a secret manager to avoid hardcoding sensitive information.
Problems
- Security risk
- Hard to update by operations teams
- Code exposure
- Data breaches
- Audit Fails
Solutions
- Use a secrets manager
- Use Environment variables outside the code
- Encrypted storage
Context
Writing secrets as plain text directly into your codebase exposes your code to significant security risks.
\ Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised.
\ Use a secret manager to store and manage your secrets.
\ This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed.
Sample Code
Wrong
import requests
api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com",
headers={"Authorization": f"Bearer {api_key}"})
Right
import os
import requests
api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure
response = requests.get("https://api.example.com",
headers={"Authorization": f"Bearer {api_key}"})
Detection
\
- Automatic
You can detect this smell by searching your codebase for hardcoded strings that resemble secrets.
\ Code reviews and commercial security static analysis tools can also help identify these patterns.
Tags
- Security
Level
- Intermediate
AI Generation
AI code generators might create this smell if they were trained with code datasets with hardcoded secrets.
\ Always review generated code to ensure secrets are handled securely.
AI Detection
Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code.
Conclusion
Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated.
\ Many repl and public codebases have a secret manager as an external utility.
\ Make it a habit to handle all secrets with care and never let them slip into your codebase.
Relations
Code Smell 215 - Deserializing Object Vulnerability
Code Smell 189 - Not Sanitized Input
More Info
GitHub Copilot security concerns
Disclaimer
Code Smells are my opinion.
Credits
Photo by saeed karimi on Unsplash
Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.
Chris Pirillo
https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true
This article is part of the CodeSmell Series.
https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true
\
This content originally appeared on HackerNoon and was authored by Maximiliano Contieri
Maximiliano Contieri | Sciencx (2024-07-15T14:03:56+00:00) Code Smell 258 – The Dangers of Hardcoding Secrets. Retrieved from https://www.scien.cx/2024/07/15/code-smell-258-the-dangers-of-hardcoding-secrets/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.