保護DataHogo
Security Encyclopedia/Vibecoding Patterns
criticalCWE-798A02:2021

Hardcoded API Keys

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

How It Works

When you paste an API key directly into code, it gets committed to git history. Even if you delete it later, the key lives in every clone and fork forever. Automated bots scan GitHub 24/7 for patterns like `sk-`, `AKIA`, `ghp_`, and `ghs_` and will use found keys within minutes.

Vulnerable Code
// BAD: key baked into source code
const openai = new OpenAI({
  apiKey: 'sk-proj-abc123xyz789...'
});
const stripe = new Stripe('sk_live_51Abc...');
Secure Code
// GOOD: load from environment variables
const openai = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY
});
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);

Real-World Example

In 2024, a developer accidentally committed an AWS key (AKIA...) to a public repo. Within 4 minutes, bots had spun up hundreds of EC2 instances for crypto mining, generating a $47,000 bill before AWS suspended the account.

How to Prevent It

  • Store all secrets in environment variables and load via process.env
  • Add .env to .gitignore before your first commit — never after
  • Use git-secrets or truffleHog in your CI pipeline to block secret commits
  • Rotate any key that was ever committed, even briefly — assume it was compromised
  • Use secret scanning features on GitHub (free for public repos)

Affected Technologies

nodejsNext.jsReactPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Input Validation

medium

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

CWE-20A03:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021

Auth Logic in Frontend Only

high

Showing or hiding UI elements based on user role in React, without any server-side enforcement — easily bypassed by anyone who opens DevTools.

CWE-602A01:2021