Python Hardcoded Auth Header Value
Description
Detects hardcoded authentication credentials or tokens in HTTP header values within Python code. This represents a security risk as embedding sensitive authentication information directly in source code could lead to unauthorized access if the code is exposed.
Detection Strategy
• Check for calls to HTTP request methods or similar network operations
• Examine the header parameters passed to these methods for hardcoded authentication values
• Verify if the authentication values are static/hardcoded rather than obtained from secure configuration or environment
• Report a vulnerability when headers contain hardcoded authentication credentials like API keys, tokens, or basic auth values
Vulnerable code example
import http
# Vulnerable: Hardcoded sensitive Bearer token in headers
headers = {
"Accept": "text/html",
"authorization": "Bearer YWUzYjQwODAwODA2Y2E5ZjdjNjkzOTFhOWM5ZWZiMjQ6" # Critical: Contains hardcoded credentials
}
...✅ Secure code example
import os
import http.client
from typing import Dict
def get_secure_headers() -> Dict[str, str]:
headers = {"Accept": "text/html"}
# Get token from environment variable instead of hardcoding
token = os.getenv("API_BEARER_TOKEN")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.