Skip to content

📝 Add security warning about hardcoding secrets in production code #13762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

📝 Add security warning about hardcoding secrets in production code #13762

wants to merge 1 commit into from

Conversation

anupamme
Copy link

@anupamme anupamme commented Jun 4, 2025

Context and Purpose:

This PR automatically remediates a security vulnerability:

  • Description: Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)
  • Rule ID: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret
  • Severity: MEDIUM
  • File: docs_src/security/tutorial004.py
  • Lines Affected: 86 - 86

This change is necessary to protect the application from potential security risks associated with this vulnerability.

Solution Implemented:

The automated remediation process has applied the necessary changes to the affected code in docs_src/security/tutorial004.py to resolve the identified issue.

Please review the changes to ensure they are correct and integrate as expected.

@github-actions github-actions bot added the docs Documentation about how to use FastAPI label Jun 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 4, 2025

📝 Docs preview for commit f3b2fba at: https://524b8aee.fastapitiangolo.pages.dev

YuriiMotov
YuriiMotov requested changes Jun 6, 2025
View reviewed changes
Copy link
Contributor

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anupamme, please, refrain from opening PRs with autogenerated content. Or, at least check it.

This PR only changes it in one file, but there are several more similar.
If you really want to contribute, please make these changes consistently across all similar code examples.
Also, I would leave this line as it is and just add comment:

# to get a string like this run:
# openssl rand -hex 32
# SECURITY WARNING: In production, use a secure secret key from environment variables
# SECRET_KEY = os.getenv("SECRET_KEY", "")
SECRET_KEY = "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7"

@YuriiMotov YuriiMotov changed the title Updated docs_src/security/tutorial004.py to fix security vulnerability [python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret] 📝 Add security warning about hardcoding secrets in production code Jun 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YuriiMotov YuriiMotov YuriiMotov requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
docs Documentation about how to use FastAPI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anupamme @YuriiMotov @kira-offgrid
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy