Code Smell 258 - The Dangers of Hardcoding Secrets
The Dangers of Hardcoding Secrets
TL;DR: Use a secret manager to avoid hardcoding sensitive information.
Problems
Security risk
Hard to update by operations teams
Code exposure
Data breaches
Audit Fails
Solutions
Use a secrets manager
Use Environment variables outside the code
Encrypted storage
Context
Writing secrets as plain text directly into your codebase exposes your code to significant security risks.
\
Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised.
\
Use a secret manager to store and manage your secrets.
\
This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed.
Sample Code
Wrong
import requests
api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com",
headers={"Authorization": f"Bearer {api_key}"})
Right
import os
import requests
api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure
response = requests.get("https://api.example.com",
headers={"Authorization": f"Bearer {api_key}"})
Detection
\
Automatic
You can detect this smell by searching your codebase for hardcoded strings that resemble secrets.
\
Code reviews and commercial security static analysis tools can also help identify these patterns.
Tags
Security
Level
Intermediate
AI Generation
AI code generators might create this smell if they were trained with code datasets with hardcoded secrets.
\
Always review generated code to ensure secrets are handled securely.
AI Detection
Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code.
Conclusion
Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated.
\
Many repl and public codebases have a secret manager as an external utility.
\
Make it a habit to handle all secrets with care and never let them slip into your codebase.
Relations
Code Smell 215 - Deserializing Object Vulnerability
Code Smell 189 - Not Sanitized Input
More Info
Stack Overflow
GitHub Copilot security concerns
Disclaimer
Code Smells are my opinion.
Credits
Photo by saeed karimi on Unsplash
Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.
Chris Pirillo
https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true
This article is part of the CodeSmell Series.
https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true
\
Welcome to Billionaire Club Co LLC, your gateway to a brand-new social media experience! Sign up today and dive into over 10,000 fresh daily articles and videos curated just for your enjoyment. Enjoy the ad free experience, unlimited content interactions, and get that coveted blue check verification—all for just $1 a month!
Account Frozen
Your account is frozen. You can still view content but cannot interact with it.
Please go to your settings to update your account status.
Open Profile Settings