Hardcoded Secrets

Learn why hardcoding secrets directly in your source code is one of the most dangerous security practices and how it can lead to major data breaches.

🚨 Critical Security Risk

Never use in production

Hardcoding secrets directly in your source code is extremely dangerous. This approach makes your sensitive credentials visible to anyone with access to your codebase and permanently stores them in version control history.

Dangerous Examples

API Key in Source Code

API Key in Source Code Example

1•• •••• ••••• •• •••••
2••••• ••••••• • ••••••••••••••••••••••
3
4••••••••••••••••••••••••••••••••••••• •
5  •••••••• •
6    •••••••••••••••• ••••••• •••••••••••
78•••

🔒 Secret Hidden

⚠️ Risk: Anyone with access to your code can see the API key

Database Connection String

Database Connection String Example

1•• •••• •••••••• ••••••••••• •••••••
2••••• •••••••••••• • ••••••••••••••••••••••••••••••••••••••••••••••••••••
3
4••••• •••••••• • ••••••••••••••••••••
5•••••••••••••••••••••••••••••••

🔒 Secret Hidden

⚠️ Risk: Database credentials visible to anyone reading the code

JWT Secret

JWT Secret Example

1•• •••• ••• •••••• •••••••••
2••••• ••• • ••••••••••••••••••••••••
3••••• •••••• • ••••••••••••••••••••••••••
4
5••••• ••••• • •••••••••• ••••••• ••• •• ••••••• • •••••••••• •••• •••

🔒 Secret Hidden

⚠️ Risk: JWT tokens can be forged if secret is known

Security Risks & Consequences

Version Control Exposure

Critical

Secrets become permanently part of your git history

Public Repository Risk

Critical

If your repo becomes public, secrets are immediately exposed

Team Access Issues

High

All developers see secrets they might not need

No Rotation Capability

Medium

Changing secrets requires code changes and deployments

Real-World Impact

Famous Security Breaches Caused by Hardcoded Secrets:

  • Uber (2016): Engineers hardcoded AWS credentials in private GitHub repos
  • Toyota (2023): Access tokens exposed in public repositories for nearly 5 years
  • Mercedes-Benz (2022): GitHub token with access to internal repos found hardcoded
  • Samsung (2019): Private keys and passwords found in public repositories

💡 These breaches could have been prevented by following proper secrets management practices.

CLI Demo (Terminal)

Run the hardcoded secrets demo from your terminal in this project root:

Run CLI demo

1# From project root
2node app-hardcoded.js
3
4# Or with Bun
5bun app-hardcoded.js

Interactive Demo & Guided Lab

This unified demo runs a realistic “secrets committed to git” incident and walks through the guided lab steps. The output includes console logs, demo results, and lab scenario tasks and resources.

Mitigation Playbook

Immediate

  • Invalidate the exposed credential and rotate dependent services
  • Purge build artifacts, caches, and logs containing the secret
  • Notify owners of downstream systems using the credential

Short Term

  • Audit the repository history using truffleHog or gitleaks
  • Add automated scanning to CI and pre-push hooks
  • Educate developers on the incident that just occurred

Long Term

  • Introduce a secrets manager and remove hardcoded credentials
  • Enforce branch protection rules with secret detection
  • Schedule quarterly reviews of repositories with sensitive access

Source Code & Live Demo

Explore the actual implementation and see how secrets appear in real codebases:

View Source CodeLive Demo
Back to Home

Next: Learn about shared secrets

Shared Secrets Demo