The fastest way to give away the keys to the kingdom.
A "secret" is any sensitive string needed to run your app: database passwords, API keys, encryption salts, or AWS credentials. Hardcoding a secret means typing it directly into your source code. If that code is ever committed to a Version Control System (like Git), the secret is compromised forever.
Secrets should never live in code. They should be injected into the application at runtime by the environment (using `.env` files locally, and secure Secret Managers like AWS Secrets Manager or HashiCorp Vault in production).
# VULNERABLE: Hardcoded
def init_payment_gateway():
# Anyone who can view this file on GitHub now controls your Stripe account.
stripe.api_key = "sk_live_51Habcdefghijklmnopqrstuvwxyz123"
# SECURE: Environment Variables
import os
def init_payment_gateway():
# The code is safe to share. The secret is injected at runtime.
stripe.api_key = os.environ.get("STRIPE_API_KEY")
A developer is building a mobile app. They need to connect to Firebase, so they hardcode the `FIREBASE_API_KEY` into the Android Java code. They compile the app and publish it to the Google Play Store. A hacker downloads the app, decompiles the APK (which takes 5 seconds), extracts the API key, and deletes the entire production database.
You accidentally pushed a commit containing your AWS Secret Key to a public GitHub repository. You immediately deleted the line of code and pushed a new commit 30 seconds later. Are you safe?