Javascript Hardcoded Jwt Secret
Description
Detects hardcoded JWT secrets in JavaScript applications using the jsonwebtoken library. Hardcoded JWT secrets in source code are a security risk because they can be discovered through code access, potentially allowing attackers to forge valid authentication tokens and impersonate users.
Detection Strategy
• Scans JavaScript files that use the 'jsonwebtoken' package (or its aliases)
• Identifies jwt.sign() or jwt.verify() function calls
• Checks if the secret/key parameter is a hardcoded value (like a string literal) rather than a variable or environment reference
• Excludes test files from analysis to reduce false positives
• Reports a vulnerability when JWT operations use hardcoded secrets instead of securely configured keys
Vulnerable code example
const jwt = require('jsonwebtoken');
// Vulnerable: Hardcoded secret key directly in code
const token = jwt.sign(
{ userId: 123 },
'hardcoded_secret_key' // Security risk: Hard-coded secret
);
...✅ Secure code example
const jwt = require('jsonwebtoken');
// Load secret from environment variable
const JWT_SECRET = process.env.JWT_SECRET; // Secret stored securely in environment
// Create token with expiration and proper error handling
try {
const token = jwt.sign(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.