Use of Hard-coded, Security-relevant Constants
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.
Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.
How to fix this vulnerability
Prevention strategies for Hardcoded Security Constants based on 2 Shoulder detection rules.
Use environment variables for URLs with localhost as a development fallback
- const API_URL = 'http://localhost:3000'; + const API_URL = process.env.API_URL || 'http://localhost:3000'; const response = await fetch(`${API_URL}/users`);
Load URLs from environment variables with localhost as the development fallback
- API_URL = "http://localhost:3000/api" - DB_HOST = "127.0.0.1" + import os + + API_URL = os.getenv('API_URL', 'http://localhost:3000/api') + DB_HOST = os.getenv('DB_HOST', 'localhost') def fetch_data(): response = requests.get(f'{API_URL}/data') return response.json()
Key Practices
- Use environment variables
- configurable via environment variables
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Use of Hard-coded, Security-relevant Constants patterns. 2 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=547 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (2)
What to watch for in code reviews
These patterns indicate potential Use of Hard-coded, Security-relevant Constants vulnerabilities. Look for these during code reviews and security audits.
Scan your codebase for Use of Hard-coded, Security-relevant Constants
Shoulder CLI finds vulnerable patterns across your entire codebase.