VC049A02:2021·CWE-798

Insecure API key handling

About A02:2021Cryptographic Failures

Cryptographic failures cover everything from hardcoded secrets in source code to using broken algorithms (MD5, SHA-1) to transmitting passwords in plaintext. AI coding tools frequently generate this category of bug because the safe alternatives require knowing about libraries the model wasn't trained heavily on.

Impact: When this class ships, it's usually a data breach. Hardcoded API keys end up on GitHub and get scraped within minutes. Weak password hashing means a single database leak unlocks every user's password. Plaintext-over-HTTP endpoints get sniffed on public WiFi.

How to fix it: Never store secrets in source code — use environment variables and a secret manager. Use bcrypt/argon2 for password hashing, not MD5/SHA-1. Always use HTTPS in production. Use the platform's modern crypto APIs instead of rolling your own.

Common patterns in this category:

  • Hardcoded API keys, tokens, or passwords committed to git
  • MD5 or SHA-1 used for password hashing instead of bcrypt/argon2
  • Sensitive data sent over HTTP instead of HTTPS
  • Encryption keys stored alongside the encrypted data
  • Custom crypto implementations instead of vetted libraries

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.1, CC6.7
ISO 27001
A.8.12, A.8.9
OWASP Top 10
A02:2021Cryptographic Failures
CWE
CWE-798

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC049 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A02:2021

← All security rules
VC049: Insecure API key handling | XploitScan Rules