Will It Vibe logoWill It Vibe?
EXPRESS-010High severity-15 points

Hardcoded fallback for a secret env var

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A secret is read as process.env.X || 'literal', so the literal fallback ships as a real, guessable secret whenever the variable is unset in production.

Why it matters

Reading a secret as process.env.X || 'literal' means the literal becomes the real secret whenever the variable is unset, which is exactly what happens on a fresh or misconfigured environment. A fallback JWT or session secret that ships in the source lets anyone who reads the repo forge tokens. Because it silently works, the missing env var is never noticed until it is exploited.

How to fix it

Remove the fallback and read the variable directly, failing fast if it is missing: const s = process.env.JWT_SECRET; if (!s) throw new Error("JWT_SECRET is required"). Keep real values in an untracked .env locally and in your host secret store in production, with names listed in .env.example. Rotate any secret whose fallback was ever committed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks