← Back to Baseline

MB-R097

Secrets are not hardcoded in custom code

C03 Secure Coding Practices High

API keys, tokens, private keys, passwords, and payment credentials must not be hardcoded in PHP, XML, JavaScript, templates, or sample configuration files. Hardcoded secrets are difficult to rotate and often leak through repositories, artifacts, or error output. Use `env.php`, environment variables, or a secret manager with least-privilege access and rotation support.

Why it Matters

Hardcoded secrets in PHP, XML, JavaScript, templates, or sample files are easy to leak through Git, build artifacts, screenshots, or error output. They are also difficult to rotate because the value is mixed into application code.

Secrets should be provided through environment configuration or a secret manager so access is limited, rotation is practical, and code can be shared safely.

Verification Steps

Code scan

grep -RIE "(sk_live_|api_key|secret|password|private_key|token)" app/code app/design config 2>/dev/null

Repository scan

# Use a secret scanner when available
git secrets --scan
trufflehog filesystem .

Remediation / Fix Guidance

  1. Move API keys, passwords, and tokens out of code and into env.php, environment variables, or a secret manager.
  2. Rotate any secret that was hardcoded or committed.
  3. Add secret scanning to CI.
  4. Use least-privilege credentials for each integration.
  5. Keep sample config values fake and clearly non-production.

Examples

Fail Example
private $apiKey = "sk_live_real_secret";
# Secret hardcoded in module → FAIL
Pass Example
$apiKey = $this->scopeConfig->getValue("payment/provider/api_key");
# Secret sourced from protected config/secret storage → PASS

References