Java Hardcoded Jwt Secret
Description
Detects hardcoded secrets used for JWT token signing in Java applications using the 'io.jsonwebtoken' library. This represents a security risk as JWT signing keys should not be hardcoded in source code, but rather stored securely and accessed through proper key management systems.
Detection Strategy
• Confirms the code is using the 'io.jsonwebtoken.Jwts' library and is not a test file (excludes files with @Test annotations)
• Identifies JWT signing operations by looking for calls to signing methods in the Jwts library
• Checks if the signing key parameter uses a hardcoded value rather than a configuration or key management system
• Reports a vulnerability when JWT signing operations use hardcoded secret keys or values
Vulnerable code example
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
public class JwtUtil {
private String secret = "super_secret_1"; // Vulnerable: Hardcoded JWT secret
public String createToken(String username) {
return Jwts.builder()...✅ Secure code example
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.Date;
@Component
public class JwtUtil {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.