# Use of Hard-coded, Security-relevant Constants (CWE-547)

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

**Stack:** Python

- Prevalence: Focalizado 2 lenguajes cubiertos
- Impact: Medio Se recomienda revisión
- Prevention: Documentada 2 ejemplos de corrección

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

## Prevention

Estrategias de prevención para Hardcoded Security Constants basadas en 1 reglas de detección de Shoulder.

### Key Practices

- configurable via environment variables

### Python

Load URLs from environment variables with localhost as the development fallback

## Warning Signs

- [LOW] Development URL found at line ...: ...
- [LOW] hardcoded development URLs such as localhost or 127

## Consequences

- Modificar datos de la aplicación
- Leer datos de la aplicación

## Mitigations

- Usa constantes con nombre o configuración para los valores relevantes para la seguridad
- Documenta el significado y propósito de todas las constantes de seguridad
- Centraliza la configuración de seguridad

## Detection

- Total rules: 2
- Languages: javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs such as localhost or 127.0.0.1
in production code. This indicates:

1. Configuration management issues
2. Potential production deployment problems
3. Leftover development/test code
4. API endpoints pointing to local services

Development URLs should be configurable via environment variables.
  - Remediation: Replace hardcoded URLs with environment variables or configuration.