Javascript Hardcoded Private Key
Description
Detects hardcoded private keys and cryptographic secrets in JavaScript source code. Exposing private keys in source code creates serious security risks as it could allow attackers to decrypt sensitive data or forge signatures. These credentials should be stored securely outside the codebase.
Detection Strategy
• Check for string literals containing private key patterns (e.g. BEGIN PRIVATE KEY, RSA PRIVATE KEY)
• Identify variable assignments or object properties containing private key data
• Report vulnerabilities when private keys are found directly in source code rather than loaded from secure storage
• Examine JavaScript files for exposed cryptographic material that should be kept confidential
Vulnerable code example
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8\niMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6sy\nCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQAB\n-----END RSA PRIVATE KEY-----' // Vulnerable: Hardcoded private key should be stored securely
function signToken(payload) {
return jwt.sign(payload, privateKey, { algorithm: 'RS256' });
}✅ Secure code example
import jwt from 'jsonwebtoken';
// Load private key from environment variable instead of hardcoding
const privateKey = process.env.JWT_PRIVATE_KEY;
function signToken(payload) {
if (!privateKey) {
throw new Error('JWT private key is not configured'); // Fail securely if key missing...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.