# Use of Hard-coded, Security-relevant Constants (CWE-547)

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

- Prevalence: केंद्रित 2 भाषाएँ कवर की गईं
- Impact: मध्यम समीक्षा अनुशंसित
- Prevention: प्रलेखित 2 फिक्स उदाहरण

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Hardcoded Security Constants के लिए रोकथाम रणनीतियाँ।

### Key Practices

- Use environment variables
- configurable via environment variables

### JavaScript

Use environment variables for URLs with localhost as a development fallback

### Python

Load URLs from environment variables with localhost as the development fallback

## Warning Signs

- [LOW] Hardcoded development URL found: ...
Development URLs like localhost should be configured via environment variables.

- [LOW] hardcoded development URLs (localhost, 127
- [LOW] Development URL found at line ...: ...
- [LOW] hardcoded development URLs such as localhost or 127

## Consequences

- एप्लिकेशन डेटा संशोधित करना
- एप्लिकेशन डेटा पढ़ना

## Mitigations

- सुरक्षा-संबंधी मानों के लिए नामित स्थिरांकों या कॉन्फ़िगरेशन का उपयोग करें
- सभी सुरक्षा स्थिरांकों के अर्थ और उद्देश्य का दस्तावेज़ीकरण करें
- सुरक्षा कॉन्फ़िगरेशन को केंद्रीकृत करें

## Detection

- Total rules: 2
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.
  - Remediation: Replace hardcoded URLs with environment variables:

Before: const API_URL = 'http://localhost:3000';
After:  const API_URL = process.env.API_URL || 'http://localhost:3000';

For database connections:
Before: host: 'localhost'
After:  host: process.env.DB_HOST || 'localhost'

### Typescript (1 rules)

- **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.
  - Remediation: Replace hardcoded URLs with environment variables:

Before: const API_URL = 'http://localhost:3000';
After:  const API_URL = process.env.API_URL || 'http://localhost:3000';

For database connections:
Before: host: 'localhost'
After:  host: process.env.DB_HOST || 'localhost'

### Python (1 rules)

- **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs such as localhost or 127.0.0.1
in production code. This indicates:

1. Configuration management issues
2. Potential production deployment problems
3. Leftover development/test code
4. API endpoints pointing to local services

Development URLs should be configurable via environment variables.
  - Remediation: Replace hardcoded URLs with environment variables or configuration.