- 필수 기능
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- 디지털 경험
- 소프트웨어 제공
- 보안
- 로그 관리
- 관리
- 인프라스트럭처
- ci
- containers
- csm
- ndm
- otel_guides
- overview
- slos
- synthetics
- tests
- 워크플로
ID: ruby-security/jwt-secret-hardcoded
Language: Ruby
Severity: Error
Category: Security
This rule is about not hardcoding JWT (JSON Web Token) secrets in your Ruby code. JSON Web Tokens are an open, industry standard for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Hardcoding JWT secrets in your code is a security risk, as it gives anyone who has access to the codebase the ability to generate their own valid tokens. This can lead to a number of serious security vulnerabilities, including unauthorized access to protected resources.
To avoid this, store secrets outside of your codebase, in a secure and encrypted environment. You can then reference these secrets in your code through environment variables or a secure secret management system. For example, instead of hardcoding the secret in the JWT.encode
method, you can store it in an environment variable and reference it as hmac_secret
. This way, even if someone gains access to your codebase, they won’t be able to generate valid tokens without also having access to your secure environment.
JWT.encode payload, 'something', 'HS256'
JWT.encode payload, nil, 'HS256'
JWT.encode payload, hmac_secret, 'HS256'