A potential sensitive data is being exposed in the source code. It can compromise the security of application/user. It is recommended to encrypt this data. Anyone who has access to the source code can use sensitive data. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. Also hardcoding data makes it difficult to change the password for the operational side.

It is recommended to put sensitive values either in a separate (uncommitted, gitignored) configuration file, or pull them in from environment variables. The first is easier if you're self-hosting; the latter is the norm if you use e.g. Heroku or similar platform that deploys from a repository.

Bad practice

username = "james"
token = "auenfejadldadjakf"

Recommended

import os

username = os.getenv("username")
token = os.environ.get("secret_key", "default_key")  # getting value from env variable. No issue.

References:

• OWASP Top 10 2021 Category A05 - Security Misconfiguration
• SANS Top 25
• CWE-798 - Use of Hard-coded Credentials