# Hardcoded Secret in Environment Variable Fallback

- ID: javascript-env-fallback-secrets
- Severity: HIGH
- CWE: Hardcoded Credentials (CWE-798)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects hardcoded secrets used as fallback values for environment variables.

Pattern: `process.env.SECRET || 'hardcoded-value'`

This is dangerous because:
- If the environment variable is not set, the hardcoded value is used
- Developers often forget to set env vars in production
- The hardcoded fallback may be committed to version control
- Creates false sense of security ("we use env vars")

This is particularly common with:
- JWT secrets
- API keys
- Database passwords
- Encryption keys

## Detection Message

Hardcoded secret used as fallback for environment variable.

Code: {code}

If the environment variable is not set, this hardcoded value will be used,
which may happen accidentally in production.


## Remediation

Remove the fallback and fail fast if the env var is missing:

Before (dangerous):
  const secret = process.env.JWT_SECRET || 'insecure-fallback';

After (safe):
  const secret = process.env.JWT_SECRET;
  if (!secret) {
    throw new Error('JWT_SECRET environment variable is required');
  }

## Documentation

[object Object]

## Related Rules

- **Django Insecure SECRET_KEY** [CRITICAL]: 
- **Docker Secrets and Security Best Practices** [CRITICAL]: 
- **Hardcoded Secrets in Source Code** [CRITICAL]: 
- **Hardcoded Credentials** [HIGH]: 
- **Hardcoded High-Entropy Secrets Detection** [CRITICAL]: