Use of Hard-coded Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The application’s JWT secret key is hard-coded directly in the source code. Storing secrets this way makes them easy to accidentally expose if the code is leaked, shared, or uploaded to public repositories.
Impact#
If an attacker obtains the hard-coded secret, they can forge or tamper with JWT tokens, potentially impersonating users or escalating privileges within your app. This can lead to unauthorized access, data breaches, and compromised application security.