{ "slug": "hardcoded_credential", "term": "Hardcoded Credentials", "category": "security", "difficulty": "beginner", "short": "Passwords, API keys, or tokens written directly into source code — permanently exposed to anyone with repository access and impossible to rotate without a code change.", "long": "Hardcoded credentials appear in source code, config files committed to git, docker images, and CI/CD logs. Once in git history they are permanent — even deleting the file does not remove the commit. Secret scanning tools (GitHub, GitLab, truffleHog) automatically detect patterns like API keys and alert providers. The correct approach is runtime injection via environment variables or a secrets manager, never compile-time embedding.", "aliases": [ "hardcoded password", "hardcoded API key", "credential in source" ], "tags": [ "security", "credentials", "php" ], "misconception": "Private repositories are safe for storing secrets — private repos are breached, forked, accidentally made public, or accessed by former employees; secrets must never be in code regardless of visibility.", "why_it_matters": "A single hardcoded credential in a git repository — even a private one — is a breach waiting to happen; once committed it is effectively permanent and can be found by anyone who gains repo access.", "common_mistakes": [ "Committing .env files to version control — add .env to .gitignore before the first commit.", "Hardcoding credentials in docker-compose.yml or Kubernetes manifests committed to git.", "Using placeholder credentials that 'get replaced in production' but never do.", "Rotating the credential without removing it from git history — use git filter-repo or BFG." ], "when_to_use": [], "avoid_when": [], "related": [ "hardcoded_credentials", "secrets_management", "dotenv", "api_key_exposure" ], "prerequisites": [ "secrets_management", "environment_variables_linux", "dotenv" ], "refs": [ "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" ], "bad_code": "// Hardcoded in source — permanent exposure:\n$pdo = new PDO('mysql:host=db', 'root', 'supersecret123');\n\n$client = new StripeClient('sk_live_abc123realkey');\n\ndefine('ADMIN_PASS', 'letmein');", "good_code": "// Runtime injection via environment variables:\n$pdo = new PDO(\n 'mysql:host=' . getenv('DB_HOST'),\n getenv('DB_USER'),\n getenv('DB_PASS')\n);\n\n$client = new StripeClient(getenv('STRIPE_SECRET_KEY'));\n\n// Or from a secrets manager:\n$secret = $vault->getSecret('prod/stripe');", "quick_fix": "Move credentials to environment variables (getenv()) or a secrets manager; add .env to .gitignore immediately", "severity": "critical", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/hardcoded_credential", "html_url": "https://codeclaritylab.com/glossary/hardcoded_credential", "json_url": "https://codeclaritylab.com/glossary/hardcoded_credential.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Hardcoded Credentials](https://codeclaritylab.com/glossary/hardcoded_credential) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/hardcoded_credential" } } } }