DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Stripe access token in source code SCT-1005

Secrets
Critical

Leaking a Stripe access token in source code can cause severe security issues as it can give unauthorized access to payment processing and customer data, which can result in financial loss due to fraudulent activities and a breach of customer privacy.

If an access token has been leaked, you can rotate it in the Stripe dashboard.

It is recommended to use environment variables to store the API key. This ensures that the key is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API key as it can be updated without modifying the source code. Additionally, it is recommended that access to the API key is restricted to only those who need it, by using Stripe Connect or OAuth.

Bad practice

import stripe

stripe.api_key = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"

customer = stripe.Customer.create(
    email="[email protected]",
    name="Jenny Rosen",
    source="tok_visa"
)

Recommended

import stripe
import os

stripe.api_key = os.getenv('STRIPE_SECRET_KEY')

customer = stripe.Customer.create(
    email="[email protected]",
    name="Jenny Rosen",
    source="tok_visa"
)