{ "slug": "hardcoded_credentials", "term": "Hardcoded Credentials", "category": "security", "difficulty": "beginner", "short": "Secrets, passwords, or API keys embedded directly in source code can be extracted from repositories or compiled binaries.", "long": "Hardcoded credentials are a persistent risk because developers commit secrets into version control — even if removed later, they remain in git history. Once a repository is leaked or made public, automated scanners harvest these credentials within minutes. Use environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager) to inject credentials at runtime. Implement pre-commit hooks with tools like truffleHog or git-secrets to prevent accidental commits.", "aliases": [ "hardcoded password", "hardcoded secret", "embedded credentials" ], "tags": [ "secrets", "misconfiguration", "cwe-798" ], "misconception": "Credentials in a private repository are safe. Private repos get breached or accidentally made public — and git history preserves secrets even after they are removed. Secrets should never enter version control.", "why_it_matters": "Credentials committed to source control are permanently exposed — git history cannot be effectively purged once pushed, and rotating them still doesn't remove the history.", "common_mistakes": [ "Committing .env files or config files with real credentials to version control.", "Defining credentials as PHP constants in source files that are tracked in git.", "Using the same credentials in development and production, meaning a dev repo leak compromises production.", "Not scanning CI pipelines and logs, which often echo environment variables containing secrets." ], "when_to_use": [], "avoid_when": [], "related": [ "api_key_exposure", "sensitive_data_exposure", "information_disclosure" ], "prerequisites": [ "hardcoded_credential", "secrets_management", "configuration_management" ], "refs": [ "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password", "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" ], "bad_code": "$db = new PDO('mysql:host=localhost', 'root', 'SuperSecret123!');", "good_code": "$db = new PDO('mysql:host=' . $_ENV['DB_HOST'], $_ENV['DB_USER'], $_ENV['DB_PASS']);", "quick_fix": "Run truffleHog or gitleaks on your entire git history now — if anything is found, rotate the credential immediately regardless of how old the commit is", "severity": "critical", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/hardcoded_credentials", "html_url": "https://codeclaritylab.com/glossary/hardcoded_credentials", "json_url": "https://codeclaritylab.com/glossary/hardcoded_credentials.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Hardcoded Credentials](https://codeclaritylab.com/glossary/hardcoded_credentials) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/hardcoded_credentials" } } } }