Typescript Hardcoded Jwt Secret
Description
Detects hardcoded JWT (JSON Web Token) secrets in application code. Using hardcoded secrets for JWT signing/verification is a critical security vulnerability as it exposes the secret key in source code, making it accessible to attackers who could forge valid authentication tokens.
Detection Strategy
• Identifies direct usage of the 'jsonwebtoken' package in code (including aliased imports)
• Looks for JWT sign/verify operations that use the jsonwebtoken package
• Checks if the secret/key parameter passed to JWT operations is a hardcoded value
• Excludes findings in test files to reduce false positives
• Reports vulnerability when JWT operations use string literals or other hardcoded values as secrets
Vulnerable code example
import jwt from 'jsonwebtoken';
// Vulnerable: Secret key hardcoded in source code
const secret = 'hardcoded_secret_key';
const token = jwt.sign( // Vulnerable: Using hardcoded secret
{ userId: 123 },
'secret'...✅ Secure code example
import jwt from 'jsonwebtoken';
// Secure: Load secret from environment variable instead of hardcoding
const secret = process.env.JWT_SECRET;
const token = jwt.sign(
{
userId: 123,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.