Do not hardcode JWT secrets

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/jwt-secret-hardcoded

Language: Ruby

Severity: Error

Category: Security

CWE: 798

Description

This rule is about not hardcoding JWT (JSON Web Token) secrets in your Ruby code. JSON Web Tokens are an open, industry standard for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Hardcoding JWT secrets in your code is a security risk, as it gives anyone who has access to the codebase the ability to generate their own valid tokens. This can lead to a number of serious security vulnerabilities, including unauthorized access to protected resources.

To avoid this, store secrets outside of your codebase, in a secure and encrypted environment. You can then reference these secrets in your code through environment variables or a secure secret management system. For example, instead of hardcoding the secret in the JWT.encode method, you can store it in an environment variable and reference it as hmac_secret. This way, even if someone gains access to your codebase, they won’t be able to generate valid tokens without also having access to your secure environment.

Non-Compliant Code Examples

JWT.encode payload, 'something', 'HS256'
JWT.encode payload, nil, 'HS256'

Compliant Code Examples

JWT.encode payload, hmac_secret, 'HS256'
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: may/unit-testing