Python Hardcoded Jwt Secret
Description
Detects when JWT tokens are created using hardcoded secret keys in Python code. Using hardcoded JWT secrets is a security risk as it can lead to token forgery if the secret is exposed in source code.
Detection Strategy
• Identifies calls to jwt.encode function in Python code
• Checks if the second parameter (secret key) is defined as a string literal in the code
• Reports a vulnerability if the JWT secret is hardcoded rather than loaded from configuration
• Example vulnerable code: jwt.encode(payload, 'hardcoded-secret', algorithm='HS256')
• Example secure code: jwt.encode(payload, os.getenv('JWT_SECRET'), algorithm='HS256')
Vulnerable code example
import jwt
# Vulnerable: Hardcoded secret key as string literal
token = jwt.encode({"id": 1}, "hardcoded_secret_123", algorithm="HS256")
# Vulnerable: Another hardcoded secret
jwt.encode({"user": "admin"}, "my_static_key")✅ Secure code example
import jwt
import os
# Safe: Get secret key from environment variable
secret_key = os.environ.get('JWT_SECRET_KEY')
if not secret_key:
raise ValueError('JWT_SECRET_KEY environment variable must be set')
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.