# Use of Hard-coded Credentials (CWE-798) The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. **Stack:** Python - Prevalence: Wysoka Często wykorzystywana - Impact: Krytyczny 6 reguł o krytycznym poziomie - Prevention: Udokumentowane 11 przykładów poprawek **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect. ## Prevention Strategie zapobiegania dla Hardcoded Credentials oparte na 3 regułach detekcji Shoulder. ### Key Practices - stored in environment variables or secure vaults - stored in environment variables or secure vaults, never committed to version control ### Python Load SECRET_KEY from environment variables, never commit it to source control Store all credentials in environment variables or a secrets manager, never in code Load all secrets from environment variables or a secrets manager ## Warning Signs - [HIGH] hardcoded passwords, API keys, tokens, and other credentials in source code - [HIGH] hardcoded secrets, passwords, API keys, and cryptographic keys in source code - [CRITICAL] Django SECRET_KEY that is hardcoded, weak, or uses default values ## Consequences - Uzyskanie uprawnień - Obejście mechanizmu ochrony ## Mitigations - Przechowuj poświadczenia poza kodem źródłowym - Korzystaj ze zmiennych środowiskowych lub bezpiecznych magazynów poświadczeń - Wdroż właściwe procedury zarządzania kluczami ## Detection - Total rules: 11 - Critical: 6 - Languages: python, dockerfile, go, javascript, typescript, yaml ## Rules by Language ### Python (3 rules) - **Django Insecure SECRET_KEY** [CRITICAL]: Detects Django SECRET_KEY that is hardcoded, weak, or uses default values. The SECRET_KEY is used for cryptographic signing and must be kept secret and changed in production. - Remediation: Load SECRET_KEY from environment variables. ```python import os SECRET_KEY = os.environ['DJANGO_SECRET_KEY'] ``` Generate a strong key: `python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'` Learn more: https://shoulder.dev/learn/python/cwe-798/secret-key - **Hardcoded Credentials** [HIGH]: Detects hardcoded passwords, API keys, tokens, and other credentials in source code. Credentials should be stored in environment variables or secure vaults. - Remediation: Store credentials in environment variables instead of source code. ```python import os password = os.getenv('DB_PASSWORD') api_key = os.environ['API_KEY'] secret_key = os.getenv('SECRET_KEY') ``` Learn more: https://shoulder.dev/learn/python/cwe-798/hardcoded-credentials - **Hardcoded Secrets / Credentials** [HIGH]: Detects hardcoded secrets, passwords, API keys, and cryptographic keys in source code. Secrets should be stored in environment variables or secure vaults, never committed to version control. - Remediation: Load secrets from environment variables, never hardcode them. ```python import os from flask import Flask app = Flask(__name__) app.config['SECRET_KEY'] = os.environ['SECRET_KEY'] API_KEY = os.environ['API_KEY'] DATABASE_PASSWORD = os.environ['DB_PASSWORD'] ``` Learn more: https://shoulder.dev/learn/python/cwe-798/hardcoded-secrets