# Hardcoded Credentials

- ID: javascript-hardcoded-credentials
- Severity: HIGH
- CWE: Hardcoded Credentials (CWE-798)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration objects. Credentials should be loaded from environment variables
or secure secret management systems.

This is different from CWE-259 (weak password):
- CWE-798: Any credential hardcoded in source code (security risk)
- CWE-259: Specifically weak/guessable passwords

Even a "strong" password is a security risk if hardcoded because:
- It gets committed to version control
- It's difficult to rotate
- It may leak via logs, error messages, or decompilation
- No separation between dev/prod environments

## Detection Message

Hardcoded credential detected in {code}
Credentials should never be stored in source code.


## Remediation

Move credentials to environment variables:

Before:
  password: 'my-secret-password'

After:
  password: process.env.DB_PASSWORD

## Documentation

[object Object]

## Related Rules

- **Django Insecure SECRET_KEY** [CRITICAL]: 
- **Docker Secrets and Security Best Practices** [CRITICAL]: 
- **Hardcoded Secrets in Source Code** [CRITICAL]: 
- **Hardcoded Secret in Environment Variable Fallback** [HIGH]: 
- **Hardcoded High-Entropy Secrets Detection** [CRITICAL]: