📌 This post is one chapter in my Red Flags series. I’m exploring the mistakes, bad practices, and subtle issues we often overlook in day-to-day development. Stay tuned for upcoming posts!
When your code treats secrets like regular variables.
Hard-coding secrets and configuration values means putting sensitive data like API keys, tokens, or database URLs directly into your source code. It feels like a harmless shortcut in the moment, but once these values enter your repository, they become long-term technical debt waiting to resurface at the worst possible time.
const DB_USER = "admin";
const DB_PASSWORD = "supersecret123";
const ...📌 This post is one chapter in my Red Flags series. I’m exploring the mistakes, bad practices, and subtle issues we often overlook in day-to-day development. Stay tuned for upcoming posts!
When your code treats secrets like regular variables.
Hard-coding secrets and configuration values means putting sensitive data like API keys, tokens, or database URLs directly into your source code. It feels like a harmless shortcut in the moment, but once these values enter your repository, they become long-term technical debt waiting to resurface at the worst possible time.
const DB_USER = "admin";
const DB_PASSWORD = "supersecret123";
const DB_HOST = "prod-db.example.com";
const connectionString = postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}/app;
The biggest issue is that you eventually forget where they are. That temporary token you dropped into a file during crunch time is now spread across branches, backups, and even your Git history. Once a secret enters version control, it becomes essentially immortal. Hard-coding also breaks environment isolation. Staging and production start behaving like they share the same apartment, and one careless commit can accidentally send staging traffic straight into prod.
Simple changes also become more painful than they should be. Updating a config value suddenly requires a commit, a PR, a review, and a deployment. And because these values live inside the code, more people need repo access, violating the principle of least privilege and increasing exposure. Compliance frameworks like HIPAA absolutely love that… just kidding, they hate it with passion.
The fix is straightforward: get secrets out of your code and into proper storage. Use environment variables, external config files, or runtime injection. Adopt a vault like HashiCorp Vault or cloud-native solutions such as AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault. In containerized environments, inject secrets through volumes or orchestrator tools so they never touch the image. This keeps access limited, rotation easy, and onboarding safer new developers don’t need sensitive values just to run the app.
Hard-coding feels fast, but it always comes back to haunt you. Put your secrets and configuration where they belong, and your systems and your audits will be much happier.
Follow me on LinkedIn and dev.to for more practical engineering insights.