Typescript Hardcoded Hmac Key
Description
Detects when HMAC cryptographic functions are initialized with hardcoded secret keys in the code. Using hardcoded keys is a security risk since they can be exposed if source code is compromised, allowing attackers to forge HMAC signatures.
Detection Strategy
• Identifies calls to crypto.createHmac function
• Verifies if the key parameter is hardcoded as a string literal in the code
• Reports a security finding when an HMAC is created with a hardcoded key instead of using secure key management
Vulnerable code example
import * as crypto from 'crypto';
// Vulnerable: Hardcoded secret key directly in code
const hmac = crypto.createHmac('sha256', 'abc123secretkey456').update('data');
// Vulnerable: Another hardcoded key in code instead of environment variable
const hasher = crypto.createHmac('sha256', 'myStaticSecretKey');✅ Secure code example
import * as crypto from 'crypto';
// Safe: Read secret from environment and validate presence
const SECRET_KEY = process.env.SECRET_KEY;
if (!SECRET_KEY) {
throw new Error('Missing SECRET_KEY environment variable');
}
const hmac = crypto.createHmac('sha256', SECRET_KEY).update('data');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.