Hardcoding an IP address into source code is a bad idea for several reasons:
- it forces the same address to be used in every environment (dev, sys, qa, prod)
- it places the responsibility of setting the value to use in production on the shoulders of the developer
Recommended Secure Coding Practices
- make the IP address configurable.
Noncompliant Code Example
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, '8.8.8.8', 23); // Noncompliant
Exceptions
- No issue is reported for 127.0.0.1 because loopback is not considered as sensitive
See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- CERT, MSC03-J. - Never hard code sensitive information