Avoid using a hard-coded secret このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
このルールを試す ID: javascript-express/hardcoded-secret
Language: JavaScript
Severity: Warning
Category: Security
CWE : 798
Description Do not store secrets in plaintext where they are used. Instead use environment variables (process.env.<NAME>
) or better yet, use a key management service (KMS) linked below that includes encryption.
Learn More Non-Compliant Code Examples import session from "express-session"
import { expressjwt } from "express-jwt"
app . use (
session ({
name : "session-name" ,
secret : "not-secret-secret" ,
secret : ` ${ isProd ? "prod-secret" : "dev-secret" } ` ,
})
)
app . use (
expressjwt ({
name : "session-name" ,
secret : "not-secret-secret" ,
secret : ` ${ isProd ? "prod-secret" : "dev-secret" } ` ,
})
)
Compliant Code Examples import session from "express-session"
import { expressjwt } from "express-jwt"
app . use (
session ({
name : "session-name" ,
secret : process . env . SECRET
})
)
app . use (
expressjwt ({
name : "session-name" ,
secret : process . env . SECRET
})
)
Seamless integrations. Try Datadog Code Analysis