• Browse topics
Login
Login

SNYK LEARN LOGIN

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

Hardcoded secrets

Oops... did I do that?

~15mins estimated

Select your ecosystem

Hardcoded secrets in action

Deep in the mystical land of Codeshire, a slightly scatterbrained wizard named Archibald the Absentminded has invented a magical weather bot called Stormy. Stormy connects to weatherwand.xyz, a powerful enchanted weather forecasting service.

WeatherWand offers two types of API services:

  • Free tier: limited forecasts, simple sun/rain predictions, and a cap of 100 calls per day.
  • Premium tier: advanced features like hour-by-hour forecasts, storm tracking, and real-time dragon flight advisories, with no usage limits—but at a hefty price per request.

Archibald, eager to impress his fellow villagers, signed up for a premium WeatherWand API key to make sure Stormy always gave the most accurate predictions. But in his haste to share his project with the world, he made a critical mistake:

Almost immediately, someone discovers Stormy's repository and notices the hardcoded API_KEY. How fast? Remarkably fast! There are a lot of bad actors who are actively scanning for secrets. And now that one of these bad actors have this applications key, they can start making thousands of premium API requests. And these are all billed to Archibald's account!

Hardcoded secrets mitigation

To protect Stormy, Archibalid updates his code to load secrets securely from the environment:

Archibalid now stores the API key in a .env file for local development:

# .env
WEATHER_API_KEY=secret_5ebe2294ecd0e0f08eab7690d2a6ee69

When Archibald is ready for production, if they are using a cloud provider, then providers like AWS, GCP, Azure encourage using their Secret Managers:

  • AWS Secrets Manager / AWS Parameter Store
  • Google Secret Manager
  • Azure Key Vault

Services like Heroku, Vercel, Netlify, Render, AWS Elastic Beanstalk, etc. don't use your .env file directly. Instead, you manually set environment variables in the platform's dashboard or CLI.

They store them securely and inject them into your running process as actual environment variables. Your app can access them as if they came from a .env file.

FUN FACT

Powershell

In 2022, Uber suffered a massive breach because a developer hardcoded an admin password in a PowerShell script!

Rotate exposed credentials immediately

If you've accidentally committed a secret, even once, you must assume it's compromised. Delete the exposed credential from the codebase, but don't stop there. Rotate the secret (such as generating a new API key or password) and update any dependent services. Secrets scanning tools like GitGuardian, TruffleHog, and Snyk Code can help find other exposures. Also consider auditing access logs to check for abuse

What to learn next?

python Cross-origin resource sharing (CORS)NEW

Cross-origin resource sharing (CORS)

Learn the mechanics of CORS and how misconfiguration can lead to data exposure. Walk through an exploit scenario and learn how to implement a strict allowlist.
0% Completed
 
python Generation of predictable numbers or identifiers

Generation of predictable numbers or identifiers

In this lesson we will discuss the necessity of true random number generation, and what potential consequences can arise when these values become predictable.
0% Completed
 
python Under/oversized dependency

Under/oversized dependency

Learn the risks of dependencies that are too large or too small for your project and how to mitigate these issues with real-world examples.
0% Completed