Secrets should be unique, so that it’s clear
what processes depend on them
what level of security is being present
management of secrets, one at a time
How does this happen?
Often it’s cumbersome to set a new environment variable during the process of the implementation. Just to test things, a secret is being reused.
As
a session secret
salt
DB password
….
one and the same
secret: process.env.SESSION_SECRET;
Example: Next.js
Can affect any language.
Test and fix
grep for secret name, and investigate the hits (
grep -r SESSION_SECRET *.js)stay on task: one grep, and reading the results per audit objective
the order matters: don’t burn time auditing many things at once