DEV Community

Cover image for Code Smell 258 - Secrets in Code
Maxi Contieri
Maxi Contieri

Posted on • Originally published at maximilianocontieri.com

Code Smell 258 - Secrets in Code

#webdev #beginners #programming #security

The Dangers of Hardcoding Secrets

TL;DR: Use a secret manager to avoid hardcoding sensitive information.

Problems

  • Security risk

  • Hard to update by operations teams

  • Code exposure

  • Data breaches

  • Audit Fails

Solutions

  1. Use a secrets manager

  2. Use Environment variables outside the code

  3. Encrypted storage

Context

Writing secrets as plain text directly into your codebase exposes your code to significant security risks.

Hardcoded secrets such as API keys, passwords, database credentials, and tokens can be easily exposed if your code is shared or compromised.

Use a secret manager to store and manage your secrets.

This strategy will reduce the risk of data breaches and make it easier to update and rotate secrets as needed.

Sample Code

Wrong 

import requests

api_key = "LILAS_PASTIA"
response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"})
Enter fullscreen mode Exit fullscreen mode

Right 

import os
import requests

api_key = os.environ.get("API_KEY")
# This is just an example. Might also be not as secure

response = requests.get("https://api.example.com", 
           headers={"Authorization": f"Bearer {api_key}"})
Enter fullscreen mode Exit fullscreen mode

Detection

[X] Automatic

You can detect this smell by searching your codebase for hardcoded strings that resemble secrets.

Code reviews and commercial security static analysis tools can also help identify these patterns.

Tags

  • Security

Level

[x] Intermediate

AI Generation

AI code generators might create this smell if they were trained with code datasets with hardcoded secrets.

Always review generated code to ensure secrets are handled securely.

AI Detection

Gemini, Claude, and ChatGPT detected the hardcoded secrets and suggested changes to the code.

Conclusion

Using a secret manager enhances the security and maintainability of your code by ensuring that sensitive information is stored securely and can be easily managed and updated.

Many repl and public codebases have a secret manager as an external utility.

Make it a habit to handle all secrets with care and never let them slip into your codebase.

Relations

mcsee

Code Smell 215 - Deserializing Object Vulnerability

Maxi Contieri ・ Jun 1 '23

#webdev #beginners #programming #security
mcsee

Code Smell 189 - Not Sanitized Input

Maxi Contieri ・ Dec 28 '22

#webdev #beginners #programming #security

More Info

Stack Overflow

GitHub Copilot security concerns

Disclaimer

Code Smells are my opinion.

Credits

Photo by saeed karimi on Unsplash

Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.

Chris Pirillo

mcsee

Software Engineering Great Quotes

Maxi Contieri ・ Dec 28 '20

#codenewbie #programming #quotes #software

This article is part of the CodeSmell Series.

mcsee

How to Find the Stinky parts of your Code

Maxi Contieri ・ May 21 '21

#codenewbie #tutorial #codequality #beginners

Top comments (0)

Read next

jeet_dhandha profile image

Building and Comparing Table Data Made Easy with @libs-jd/table-data-kit

Jeet Dhandha -

busa profile image

LINUX GUIDE USING UBUNTU

Busa Ayim-Odu -

oluchiedeh profile image

How to Dockerize a Python Script for Data Processing from a CSV File: A Step-by-Step Guide.

Oluchukwu Edeh -

chintanonweb profile image

Mastering JavaScript Memory: A Beginner’s Guide to Stack and Heap

chintanonweb -