Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R156. Source code without sensitive information

This documents contains the details of the security requirements related to source code security in applications. This requirement establishes the importance of developing source code without sensitive information in order to avoid security breaches in the application.


The source code must not contain sensitive information.


Sensitive data is often included in the source code during early development stages for practicality or due to a lack of early architecture. This data includes credentials, secrets, cryptographic keys, personal identification numbers and other personal information. Following secure programming practices, none of this information should be present in the source code, as it could lead a source code leak to putting critical systems in jeopardy.


  1. CWE-259: Use of Hard-coded Password The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

  2. CWE-321: Use of Hard-coded Cryptographic Key The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

  3. CWE-540: Inclusion of Sensitive Information in Source Code Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

  4. CWE-615: Inclusion of Sensitive Information in Source Code Comments While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

  5. CWE-798: Use of Hard-coded Credentials The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

  6. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  7. GDPR. Art. 25: Data protection by design and by default.(1) The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.

  8. GDPR. Recital 51: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.

  9. OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.4) Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories.

Service status - Terms of Use