# Use of Hard-coded, Security-relevant Constants (CWE-547) The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews. - Prevalence: 특정 2개 언어 지원 - Impact: 보통 검토 권장 - Prevention: 문서화됨 2개의 수정 예시 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Hardcoded Security Constants 예방 전략. ### Key Practices - Use environment variables - configurable via environment variables ### JavaScript Use environment variables for URLs with localhost as a development fallback ### Python Load URLs from environment variables with localhost as the development fallback ## Warning Signs - [LOW] Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. - [LOW] hardcoded development URLs (localhost, 127 - [LOW] Development URL found at line ...: ... - [LOW] hardcoded development URLs such as localhost or 127 ## Consequences - 애플리케이션 데이터 수정 - 애플리케이션 데이터 읽기 ## Mitigations - 보안 관련 값에는 명명된 상수나 구성을 사용하세요 - 모든 보안 관련 상수의 의미와 목적을 문서화하세요 - 보안 구성을 중앙에서 관리하세요 ## Detection - Total rules: 2 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables. - Remediation: Replace hardcoded URLs with environment variables: Before: const API_URL = 'http://localhost:3000'; After: const API_URL = process.env.API_URL || 'http://localhost:3000'; For database connections: Before: host: 'localhost' After: host: process.env.DB_HOST || 'localhost' ### Typescript (1 rules) - **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables. - Remediation: Replace hardcoded URLs with environment variables: Before: const API_URL = 'http://localhost:3000'; After: const API_URL = process.env.API_URL || 'http://localhost:3000'; For database connections: Before: host: 'localhost' After: host: process.env.DB_HOST || 'localhost' ### Python (1 rules) - **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables. - Remediation: Replace hardcoded URLs with environment variables or configuration.