Critiq Docs
Get started
security.authentication

Avoid hardcoded auth secrets

JWT, session, and strategy secrets should not be embedded directly in source code.

#Metadata

Rule ID
ts.security.hardcoded-auth-secret
Severity
critical
Confidence
0.95
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
authentication, rules-catalog, secrets, security

#Why it matters

Hardcoded auth secrets are hard to rotate and are exposed whenever the codebase or build artifacts leak.

#Remediation

Load the secret from environment-backed configuration or a secret manager and rotate the exposed value.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml.

Back to registryOpen rule in repository