Leakage of hard-coded secret in JWT

Overview

Rule ID: javascript_lang_jwt_hardcoded_secret
Applicable Languages: Javascript
Weakness ID: CWE-798

Description

Storing hard-coded secrets in your code, particularly for JSON Web Tokens (JWT), poses a significant security risk. This practice exposes your application to unauthorized access and attacks.

Remediation Guidelines

Avoid hard-coding secrets in your code. Hard-coding makes sensitive information easily accessible to anyone who can view the code.
Use environment variables to store sensitive information such as secrets. This approach keeps credentials out of your codebase and facilitates more secure management.
```
var jwt = require("jsonwebtoken");
var token = jwt.sign({ foo: "bar" }, process.env.JWT_SECRET);
```
Consider implementing a key-management system to securely handle secrets and other sensitive information. This method provides enhanced security measures for managing and accessing credentials.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousSAST JavaScript Rules NextLeakage of information in logger message

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration