# Hardcoded Weak Password

- ID: javascript-hardcoded-weak-password
- Severity: HIGH
- CWE: Hardcoded Password (CWE-259)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify

## Description

Detects hardcoded weak passwords in database connections and configuration.

Common weak passwords like "password", "admin", "root", "secret", etc. are
easily guessed and should never be hardcoded in source code.

This rule complements the high-entropy secrets detection by catching
simple, well-known weak passwords that entropy-based detection would miss.

## Detection Message

Hardcoded weak password detected: {code}
This password is easily guessable and should never be used in production.


## Remediation

Move credentials to environment variables:

Before:
  password: 'password'

After:
  password: process.env.DB_PASSWORD

Then set DB_PASSWORD in your environment or .env file.

## Documentation

[object Object]