no-hardcoded-session-tokens

📡 Live from GitHub — This documentation is fetched directly from no-hardcoded-session-tokens.md and cached for 6 hours.

Detects hardcoded session/JWT tokens in code

This rule detects hardcoded JWT tokens (starting with eyJ), Bearer tokens, and session identifiers

Severity: 🔴 CRITICAL
CWE: CWE-798: Use of Hard-coded Credentials
OWASP Mobile: M1: Improper Credential Usage

Rule Details

This rule detects hardcoded JWT tokens (starting with eyJ), Bearer tokens, and session identifiers. Hardcoded tokens in source code are exposed in version control, decompiled apps, and client-side code, leading to unauthorized access.

Why This Matters

Hardcoded session tokens create critical vulnerabilities:

Source control exposure: Tokens committed to Git are permanently in history
Client-side exposure: Tokens in JavaScript bundles are visible to all users
Decompilation: Mobile apps can be reverse-engineered to extract tokens
No rotation: Hardcoded tokens can't be rotated without code changes

❌ Incorrect

// Hardcoded JWT token
const authToken =
  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'; // ❌ CRITICAL

// Hardcoded Bearer token
fetch('https://api.example.com/data', {
  headers: {
    Authorization: 'Bearer sk_live_51H8qL2eZvKYlo2C9S...', // ❌ API key exposed
  },
});

// Hardcoded session ID
const sessionId = 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'; // ❌ Static session
localStorage.setItem('session', sessionId);

✅ Correct

// Token from environment variable
const authToken = process.env.AUTH_TOKEN; // ✅ From environment

// Token from secure server endpoint
const response = await fetch('/api/auth/token');
const { token } = await response.json(); // ✅ Server-generated

// Session from authentication flow
async function login(username: string, password: string) {
  const response = await fetch('/api/login', {
    method: 'POST',
    body: JSON.stringify({ username, password }),
  });
  const { sessionToken } = await response.json();
  return sessionToken; // ✅ Dynamic, server-issued
}

// OAuth token exchange
const tokenResponse = await oauth2Client.getToken(authCode);
const accessToken = tokenResponse.tokens.access_token; // ✅ OAuth flow

⚙️ Configuration

This rule has no configuration options.

Known False Negatives

Tokens from Configuration Files

Why: We only detect tokens in source code literals. Tokens in JSON/YAML config files are not analyzed.

// ❌ NOT DETECTED - Token in imported config
import config from './config.json'; // { "token": "eyJ..." }
const token = config.token;

Mitigation: Never commit config files with tokens. Use .gitignore and environment variables.

Tokens in Template Strings

Why: Template literals with complex expressions are not fully analyzed.

// ❌ NOT DETECTED - Template literal
const token = `Bearer ${staticToken}`; // If staticToken is hardcoded elsewhere

Mitigation: Use linters for template literals. Review all token assignments.

Base64-Encoded Tokens

Why: We detect JWT format (eyJ...) but not all Base64-encoded tokens.

// ❌ NOT DETECTED - Generic Base64
const encoded = 'c2VjcmV0LXRva2VuLWhlcmU='; // Base64 but not JWT format
const token = atob(encoded);

Mitigation: Never store tokens in any encoded form in source code.

no-hardcoded-credentials - Detect hardcoded passwords
require-secure-credential-storage - Secure storage

📚 References

Edit this page on GitHub →

On this page