Do not hardcode JWT secrets


ID: ruby-security/jwt-secret-hardcoded

Language: Ruby

Severity: Error

Category: Security


This rule is about not hardcoding JWT (JSON Web Token) secrets in your Ruby code. JSON Web Tokens are an open, industry standard for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Hardcoding JWT secrets in your code is a security risk, as it gives anyone who has access to the codebase the ability to generate their own valid tokens. This can lead to a number of serious security vulnerabilities, including unauthorized access to protected resources.

To avoid this, store secrets outside of your codebase, in a secure and encrypted environment. You can then reference these secrets in your code through environment variables or a secure secret management system. For example, instead of hardcoding the secret in the JWT.encode method, you can store it in an environment variable and reference it as hmac_secret. This way, even if someone gains access to your codebase, they won’t be able to generate valid tokens without also having access to your secure environment.

Non-Compliant Code Examples

JWT.encode payload, 'something', 'HS256'
JWT.encode payload, nil, 'HS256'

Compliant Code Examples

JWT.encode payload, hmac_secret, 'HS256' jetbrains

Seamless integrations. Try Datadog Code Analysis