App/framework keys or passwords are visible/hardcoded

May app/web framework require the use of encryption keys/passwords - symmetric or asymmetric in order to encrypt cookies, JWT, and/or database encryption seed data.

Usually these are needed to be stored and used by the framework.

Exposing these may risk a hacker being able to perform MitM attacks, impersonation and more.


An app or framework key is visible or hardcoded.



  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault


  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack