1- < p > Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:</ p >
1+ < p > IP addresses hardcoded in source code couple the application to a specific infrastructure configuration. Today’s services have an ever-changing
2+ architecture due to their scaling and redundancy needs. When an IP address changes, every hardcoded occurrence must be found and updated, which has an
3+ impact on development, delivery, and deployment:</ p >
24< ul >
3- < li > < a href =" https://www.cve.org/CVERecord?id=CVE-2006-5901 " > CVE-2006-5901 </ a > </ li >
4- < li > < a href =" https://www.cve.org/CVERecord?id=CVE-2005-3725 " > CVE-2005-3725 </ a > </ li >
5+ < li > Developers must fix the code every time the address changes, instead of having an operations team update a configuration file. </ li >
6+ < li > It leads to using the same address in every environment (dev, staging, QA, production). </ li >
57</ ul >
6- < p > Today’s services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always
7- have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development,
8- delivery, and deployment:</ p >
9- < ul >
10- < li > The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file.</ li >
11- < li > It misleads to use the same address in every environment (dev, sys, qa, prod).</ li >
12- </ ul >
13- < p > Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially
14- sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to
15- bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which
16- will increase an attack’s impact.</ p >
17- < h2 > Ask Yourself Whether</ h2 >
18- < p > The disclosed IP address is sensitive, e.g.:</ p >
19- < ul >
20- < li > Can give information to an attacker about the network topology.</ li >
21- < li > It’s a personal (assigned to an identifiable person) IP address.</ li >
22- </ ul >
23- < p > There is a risk if you answered yes to any of these questions.</ p >
24- < h2 > Recommended Secure Coding Practices</ h2 >
25- < p > Don’t hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar
26- approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having
27- to rebuild the software.</ p >
28- < h2 > Sensitive Code Example</ h2 >
29- < pre >
30- ip = '192.168.12.42'
31- sock = socket.socket()
32- sock.bind((ip, 9090))
33- </ pre >
34- < h2 > Compliant Solution</ h2 >
35- < pre >
36- ip = config.get(section, ipAddress)
37- sock = socket.socket()
38- sock.bind((ip, 9090))
39- </ pre >
40- < h2 > Exceptions</ h2 >
41- < p > No issue is reported for the following cases because they are not considered sensitive:</ p >
8+ < h2 > Why is this an issue?</ h2 >
9+ < p > Hardcoding an IP address embeds infrastructure configuration directly into the application. This means any change to the network environment—such
10+ as moving a service to a different host or scaling horizontally—requires a code modification and a full redeployment. Unlike a domain name, a
11+ hardcoded address also makes it harder to use different values across environments such as development, staging, and production.</ p >
12+ < h3 > What is the potential impact?</ h3 >
13+ < h4 > Environment coupling</ h4 >
14+ < p > A hardcoded IP address is the same in every environment the application runs in. This makes it difficult to point development, staging, and
15+ production builds at different infrastructure without modifying the source code.</ p >
16+ < h4 > Increased deployment friction</ h4 >
17+ < p > Any change to the target host—such as migrating a service, scaling out, or rotating infrastructure—requires a code change and a full redeployment
18+ cycle. This prevents operational teams from making infrastructure adjustments independently and slows down incident response.</ p >
19+ < h3 > Exceptions</ h3 >
20+ < p > No issue is reported for the following well-known, special-purpose addresses, as they do not represent configurable infrastructure endpoints:</ p >
4221< ul >
4322 < li > Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255)</ li >
4423 < li > Broadcast address 255.255.255.255</ li >
@@ -50,7 +29,23 @@ <h2>Exceptions</h2>
5029 < li > Addresses in the range 2001:db8::/32, reserved for documentation purposes by < a href ="https://datatracker.ietf.org/doc/html/rfc3849 "> RFC
5130 3849</ a > </ li >
5231</ ul >
53- < h2 > See</ h2 >
32+ < h2 > How to fix it</ h2 >
33+ < h3 > Code examples</ h3 >
34+ < p > The following code contains a hardcoded IP address instead of reading it from configuration or environment variables.</ p >
35+ < h4 > Noncompliant code example</ h4 >
36+ < pre data-diff-id ="1 " data-diff-type ="noncompliant ">
37+ ip = '192.168.12.42' # Noncompliant
38+ sock = socket.socket()
39+ sock.bind((ip, 9090))
40+ </ pre >
41+ < h4 > Compliant solution</ h4 >
42+ < pre data-diff-id ="1 " data-diff-type ="compliant ">
43+ ip = config.get(section, ipAddress)
44+ sock = socket.socket()
45+ sock.bind((ip, 9090))
46+ </ pre >
47+ < h2 > Resources</ h2 >
48+ < h3 > Standards</ h3 >
5449< ul >
5550 < li > OWASP - < a href ="https://owasp.org/Top10/A01_2021-Broken_Access_Control/ "> Top 10 2021 Category A1 - Broken Access Control</ a > </ li >
5651 < li > OWASP - < a href ="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure "> Top 10 2017 Category A3 - Sensitive Data
0 commit comments