Hardcoding secrets in JWT (JSON Web Token) signing algorithms can expose sensitive data and compromise your application’s security. JWTs are used for authorization, and if their secrets are exposed, unauthorized parties can manipulate these tokens and gain access to your system.
Hardcoding secrets in your code means they are directly included in your source code. This practice is dangerous because if your code is exposed or your system is breached, these secrets can be found and exploited by attackers. Additionally, hard-coded secrets are difficult to rotate or change without updating and redeploying your code.
To adhere to this rule, always load secrets from a secure configuration that is separate from your code. This can be done using secret management systems, environment variables, or secure configuration files. In the case of JWT signing, use a secure method to retrieve the signing secret just before you create the JWT. This ensures that your secret is not stored in an insecure location and that it can be changed without updating your code.
Non-Compliant Code Examples
// Non-compliant: Hardcoded secrets in JWT algorithms
classUnsafeJwtManager{funcreateToken(userId:String):String{try{// Dangerous: Using hardcoded secret
valalgorithm=Algorithm.HMAC256("my_super_secret_key_123")returnJWT.create().withSubject(userId).sign(algorithm)}catch(e:JWTCreationException){throwSecurityException("Token creation failed",e)}}}
Compliant Code Examples
// Compliant: Secrets loaded from secure configuration
classSecureJwtManager(privatevalsecretProvider:SecretProvider// Interface to secret management system
){funcreateToken(userId:String):String{try{// Safe: Secret retrieved from secure storage
valjwtSecret=secretProvider.getSecret("jwt_signing_key")valalgorithm=Algorithm.HMAC256(jwtSecret)returnJWT.create().withSubject(userId).sign(algorithm)}catch(e:JWTCreationException){throwSecurityException("Token creation failed",e)}}}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines