Hardcoded JWT Secret
Description
Hardcoding secrets like JWT signing keys poses a significant security risk. If the source code ends up in a public repository or is compromised, the secret is exposed. Attackers could then use the secret to generate forged tokens and access the system.
Examples
Insecure Code
javascript
const token = jwt.sign(payload, "hardcoded_secret", { algorithm: 'HS256' });Secure Code
javascript
const token = jwt.sign(payload, process.env.SECRET, { algorithm: 'HS256' });Remediation
Store the JWT secret in an environment variable instead of hardcoding it. Use a secrets management service to securely store and tightly control access to the secret. For local development, use a .env file that is gitignored and access the secret from process.env.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0402 |
| Category | Secrets |
| Severity | CRITICAL |
| CWE | CWE-798 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | jwt, secret, hardcoded |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |