Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción. Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.
Hardcoding secrets in JWT (JSON Web Token) signing algorithms can expose sensitive data and compromise your application’s security. JWTs are used for authorization, and if their secrets are exposed, unauthorized parties can manipulate these tokens and gain access to your system.
Hardcoding secrets in your code means they are directly included in your source code. This practice is dangerous because if your code is exposed or your system is breached, these secrets can be found and exploited by attackers. Additionally, hard-coded secrets are difficult to rotate or change without updating and redeploying your code.
To adhere to this rule, always load secrets from a secure configuration that is separate from your code. This can be done using secret management systems, environment variables, or secure configuration files. In the case of JWT signing, use a secure method to retrieve the signing secret just before you create the JWT. This ensures that your secret is not stored in an insecure location and that it can be changed without updating your code.
Non-Compliant Code Examples
// Non-compliant: Hardcoded secrets in JWT algorithms
classUnsafeJwtManager{funcreateToken(userId:String):String{try{// Dangerous: Using hardcoded secret
valalgorithm=Algorithm.HMAC256("my_super_secret_key_123")returnJWT.create().withSubject(userId).sign(algorithm)}catch(e:JWTCreationException){throwSecurityException("Token creation failed",e)}}}
Compliant Code Examples
// Compliant: Secrets loaded from secure configuration
classSecureJwtManager(privatevalsecretProvider:SecretProvider// Interface to secret management system
){funcreateToken(userId:String):String{try{// Safe: Secret retrieved from secure storage
valjwtSecret=secretProvider.getSecret("jwt_signing_key")valalgorithm=Algorithm.HMAC256(jwtSecret)returnJWT.create().withSubject(userId).sign(algorithm)}catch(e:JWTCreationException){throwSecurityException("Token creation failed",e)}}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.