---
title: No Hardcoded Secrets
impact: CRITICAL
impactDescription: prevents sensitive data exposure and potential security breaches
tags: security, secrets, vulnerability, quality
---

## No Hardcoded Secrets

Never hardcode passwords, API keys, or tokens in your source code. Use environment variables or encrypted credential files.

**Incorrect (hardcoded secret):**

```ruby
client = Stripe::Client.new(api_key: "sk_test_51Mz...")
```

**Correct (config/credentials):**

```ruby
# Using Rails credentials
client = Stripe::Client.new(api_key: Rails.application.credentials.stripe_api_key)

# Or using ENV
client = Stripe::Client.new(api_key: ENV['STRIPE_API_KEY'])
```

**Tools:** git-secrets, Brakeman, RuboCop
---