Interlace ESLint
ESLint Interlace
Secure CodingRules

no-credentials-in-query-params

This rule disallow credentials in url query parameters.

Disallow credentials in URL query parameters

Rule Details

This rule disallow credentials in url query parameters.

OWASP Mobile Top 10: M1
CWE: CWE-598
Severity: error

Examples

❌ Incorrect

const url = '/api/login?username=user&password=pass123'

fetch('/api?token=abc123&action=delete')

✅ Correct

const url = '/api/users?page=1&limit=10'

fetch('/search?q=hello&sort=date')

When Not To Use It

This rule should be enabled for all mobile and web applications to ensure security best practices.

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Credentials from Config

Why: Config values not traced.

// ❌ NOT DETECTED - From config
const password = config.dbPassword;

Mitigation: Use proper secrets management.

Environment Variables

Why: Env var content not analyzed.

// ❌ NOT DETECTED - Env var
const secret = process.env.API_KEY;

Mitigation: Never hardcode or expose secrets.

Dynamic Credential Access

Why: Dynamic property access not traced.

// ❌ NOT DETECTED - Dynamic
const cred = credentials[type];

Mitigation: Audit all credential access patterns.

Further Reading

  • See other mobile security rules in this plugin

Category: Mobile Security
Type: Problem
Recommended: Yes

no-client-side-auth-logic

Detects authentication logic in client-side code that can be easily bypassed.

no-data-in-temp-storage

This rule security rule for mobile applications.

On this page

Rule DetailsExamples❌ Incorrect✅ CorrectWhen Not To Use ItKnown False NegativesCredentials from ConfigEnvironment VariablesDynamic Credential AccessFurther ReadingRelated Rules