DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Found hardcoded credentials in source code JS-S1021

Security
Critical
 a02 cwe-798 sans top 25 owasp top 10 cwe-259

Having hardcoded credentials in your source code, like passwords, tokens, and API keys can lead to security vulnerabilities, even if the source repo is private, and/or self-hosted.

As a best practice, it is recommended to use environment variables. In JavaScript, the convention is to use the dotenv package to read secrets from a .env file.

Bad Practice

import { initializeApp } from "firebase/app";
const app = initializeApp({
  apiKey: "<YOUR_API_KEY_AS_A_STRING_LITERAL>",
  // ^ This setting here may be exposed in error message stack traces etc.
  appId: "1:2729...",
  projectId: "firebase-project",
  databaseURL: "https://<app>.firebaseio.com",
  // ...
});

import mysql from "mysql";

const conn = mysql.createConnection({
  host: "<url>",
  user: "bob",
  password: "ABc-07"
});

Recommended

import { initializeApp } from "firebase/app";
import dotenv from "dotenv"

// loads the variables definied in a `.env` file into the environment
dotenv.config()

const app = initializeApp({
  apiKey: process.env.FIREBASE_API_KEY
  appId: "1:2729...",
  projectId: "firebase-project",
  databaseURL: "https://<app>.firebaseio.com",
  // ...
});

import mysql from "mysql"
import dotenv from "dotenv"

dotenv.config();

const conn = mysql.createConnection({
  host: process.env.SQL_HOST,
  user: process.env.SQL_USER,
  password: process.env.SQL_PASSWORD
});

References