Hardcoding an IP address into source code is a bad idea for several reasons:
- a recompile is required if the address changes
- it forces the same address to be used in every environment (dev, sys, qa, prod)
- it places the responsibility of setting the value to use in production on the shoulders of the developer
- it allows attackers to decompile the code and thereby discover a potentially sensitive address
Recommended Secure Coding Practices
- make the IP address configurable.
Noncompliant Code Example
String ip = "192.168.12.42"; // Noncompliant
Socket socket = new Socket(ip, 6667);
Exceptions
- No issue is reported for 127.0.0.1 because loopback is not considered as sensitive
See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- CERT, MSC03-J. - Never hard code sensitive information