The Dangers of Hardcoding Secrets TL;DR: Use a secret manager to avoid hardcoding sensitive information. Problems Security risk
Hard to update by operations teams
Code exposure
Data breaches
Audit Fails Solutions Use a secrets manager
Use Environment variables outside the code
Encrypted storage Context Writing secrets as plain text directly into your codebase exposes your code to significant security risks. Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised. Use a secret manager to store and manage your secrets. This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed. Sample Code Wrong import requests

api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) Right import os
import requests

api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure

response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) Detection Automatic You can detect this smell by searching your codebase for hardcoded strings that resemble secrets. Code reviews and commercial security static analysis tools can also help identify these patterns. Tags Security Level Intermediate AI Generation AI code generators might create this smell if they were trained with code datasets with hardcoded secrets. Always review generated code to ensure secrets are handled securely. AI Detection Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code. Conclusion Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated. Many repl and public codebases have a secret manager as an external utility. Make it a habit to handle all secrets with care and never let them slip into your codebase. Relations Code Smell 215 - Deserializing Object Vulnerability Code Smell 189 - Not Sanitized Input More Info Stack Overflow GitHub Copilot security concerns Disclaimer Code Smells are my opinion. Credits Photo by saeed karimi on Unsplash Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers. Chris Pirillo https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true This article is part of the CodeSmell Series. https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true The Dangers of Hardcoding Secrets The Dangers of Hardcoding Secrets TL;DR: Use a secret manager to avoid hardcoding sensitive information. TL;DR: Use a secret manager to avoid hardcoding sensitive information. Problems Security risk Hard to update by operations teams Code exposure Data breaches Audit Fails Security risk Hard to update by operations teams Code exposure Data breaches Audit Fails Solutions Use a secrets manager Use Environment variables outside the code Encrypted storage Use a secrets manager secrets manager Use Environment variables outside the code Encrypted storage Context Writing secrets as plain text directly into your codebase exposes your code to significant security risks. Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised. Use a secret manager to store and manage your secrets. This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed. Sample Code Wrong import requests

api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) import requests

api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) Right import os
import requests

api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure

response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) import os
import requests

api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure

response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"}) Detection Automatic Automatic You can detect this smell by searching your codebase for hardcoded strings that resemble secrets. Code reviews and commercial security static analysis tools can also help identify these patterns. Tags Security Security Level Intermediate Intermediate AI Generation AI code generators might create this smell if they were trained with code datasets with hardcoded secrets. Always review generated code to ensure secrets are handled securely. AI Detection Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code. Conclusion Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated. Many repl and public codebases have a secret manager as an external utility. Make it a habit to handle all secrets with care and never let them slip into your codebase. Relations Code Smell 215 - Deserializing Object Vulnerability Code Smell 215 - Deserializing Object Vulnerability Code Smell 189 - Not Sanitized Input Code Smell 189 - Not Sanitized Input More Info Stack Overflow Stack Overflow GitHub Copilot security concerns GitHub Copilot security concerns Disclaimer Code Smells are my opinion . opinion Credits Photo by saeed karimi on Unsplash saeed karimi Unsplash Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers. Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers. Chris Pirillo Chris Pirillo https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true https://hackernoon.com/400-thought-provoking-software-engineering-quotes?embedable=true This article is part of the CodeSmell Series. https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd?embedable=true

The code in this story is for educational purposes. The readers are solely responsible for whatever they build with it.

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

Code Smell 258 - The Dangers of Hardcoding Secrets

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

10 Predictions About the Future of Finance

106 Stories To Learn About Clean Code

100 Pieces of Programming Advice from the Book Clean Code by Robert Martin

110 Stories To Learn About Refactoring

3 Things Coding And Prose Writing Have In Common According To Cory House

4 Simple Habits For Engineering Teams To Beat Technical Debt

10 Predictions About the Future of Finance

106 Stories To Learn About Clean Code

100 Pieces of Programming Advice from the Book Clean Code by Robert Martin

110 Stories To Learn About Refactoring

3 Things Coding And Prose Writing Have In Common According To Cory House

4 Simple Habits For Engineering Teams To Beat Technical Debt

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps