Skip to main content

Hardcoding

Hardcoding bakes environment-specific or sensitive values into source, forcing redeploys to change settings and risking leaked secrets. Externalize configuration via env vars and config services, and keep secrets in a vault injected at runtime.

Hardcoding is embedding values directly in source code that should instead be configurable — server URLs, file paths, port numbers, timeouts, feature toggles, and (most dangerously) credentials. The value is fixed at write time, so changing it means editing and redeploying the code.

Why It Happens

A literal is the quickest way to make code run on the developer's machine: type the local database URL, the test API key, the absolute path. It works immediately, with no config plumbing. Under time pressure these temporary literals are never externalized, and the code ships with environment-specific values baked in.

Why It Hurts

The same build cannot run in different environments, because dev, staging, and production need different values; promoting between them requires code edits, defeating build-once-deploy-anywhere. Changing a simple setting (a timeout, an endpoint) demands a full redeploy. Hardcoded absolute paths break on other machines and operating systems. Worst of all, hardcoded secrets end up committed to version control, where they are difficult to fully remove and easy to leak. The design conflates configuration with code.

Warning Signs

  • Literal URLs, hostnames, or ports in source.
  • Absolute file paths tied to one machine or OS.
  • API keys, passwords, or tokens written inline.
  • Changing an environment requires editing and rebuilding code.

Better Alternatives

Use externalized configuration: load environment-specific values from config files, a config service, or environment variables following twelve-factor principles, so one build runs everywhere. Keep secrets out of code entirely — use a secrets manager or vault and inject them at runtime. Use feature flags for behavior that must be toggled without redeploying. Provide sensible defaults but allow every environment-specific value to be overridden externally.

How to Refactor Out of It

Inventory literals that vary by environment or are sensitive. Replace each with a configuration lookup, supplying defaults where safe. Move secrets to a secrets manager and rotate any that were committed, then purge them from history. Adopt environment variables or a config layer so deployment, not code, selects values. Add a startup check that required configuration is present and fail fast if not. Add a secret-scanning gate to CI to block hardcoded credentials from returning.