Hardcoded Secrets

The fastest way to give away the keys to the kingdom.

The idea

A "secret" is any sensitive string needed to run your app: database passwords, API keys, encryption salts, or AWS credentials. Hardcoding a secret means typing it directly into your source code. If that code is ever committed to a Version Control System (like Git), the secret is compromised forever.

Step 1: Developer types an AWS key into their code for a quick test.

How it works (Environment Variables)

Secrets should never live in code. They should be injected into the application at runtime by the environment (using `.env` files locally, and secure Secret Managers like AWS Secrets Manager or HashiCorp Vault in production).

# VULNERABLE: Hardcoded
def init_payment_gateway():
    # Anyone who can view this file on GitHub now controls your Stripe account.
    stripe.api_key = "sk_live_51Habcdefghijklmnopqrstuvwxyz123"

# SECURE: Environment Variables
import os

def init_payment_gateway():
    # The code is safe to share. The secret is injected at runtime.
    stripe.api_key = os.environ.get("STRIPE_API_KEY")

Watch out for

Worked example

A developer is building a mobile app. They need to connect to Firebase, so they hardcode the `FIREBASE_API_KEY` into the Android Java code. They compile the app and publish it to the Google Play Store. A hacker downloads the app, decompiles the APK (which takes 5 seconds), extracts the API key, and deletes the entire production database.

Check yourself

You accidentally pushed a commit containing your AWS Secret Key to a public GitHub repository. You immediately deleted the line of code and pushed a new commit 30 seconds later. Are you safe?

No. Automated bots scan GitHub constantly. They scrape new commits within fractions of a second. Deleting it from `main` does not delete it from history.
Correct! Once a secret touches the internet, it is burned. Never try to hide it; rotate it immediately.