Hardcoded JWT Secret
Description
Hardcoding secrets like JWT signing keys poses a significant security risk. If the source code ends up in a public repository or is compromised, the secret is exposed. Attackers could then use the secret to generate forged tokens and access the system.
Examples
Insecure Code
javascript
const jwt = require('express-jwt');
const secret = 'hardcoded-secret';
app.use(jwt({ secret: secret, algorithms: ['HS256'] }));Secure Code
javascript
const jwt = require('express-jwt');
const secret = process.env.SECRET;
app.use(jwt({ secret: secret, algorithms: ['HS256'] }));Remediation
Store the JWT secret in an environment variable instead of hardcoding it. Use a secrets management service to securely store and tightly control access to the secret.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0405 |
| Category | Secrets |
| Severity | CRITICAL |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | jwt, secret, hardcoded |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |