Additional content

rules/S7164/secrets/rule.adoc

@@ -7,11 +7,6 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-// Optional: Give a general description of the secret and what it's used for.
-
-Below are some real-world scenarios that illustrate some impacts of an attacker
-exploiting the secret.
-
 // Set value that can be used to refer to the type of secret in, for example:
 // "An attacker can use this {secret_type} to ..."
 :secret_type: credentials
@@ -23,6 +18,16 @@ exploiting the secret.
 
 include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[]
 
+=== Secret storage best practice
+
+It is best practice to avoid hard-coding secrets into an application. This is
+true even in situations where the secret cannot be kept completely safe, such as
+where is must be distributed as part of a client application.
+
+Storing the secret outside of the application code makes it easier to manage
+which secret is being used. For example, it can help to ensure that a production
+secret is not accidentally used during development.
+
 == How to fix it
 
 include::../../../shared_content/secrets/fix/revoke.adoc[]
@@ -31,7 +36,7 @@ include::../../../shared_content/secrets/fix/vault.adoc[]
 
 include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]
 
-**Disable the Implicit Grant Flow**
+**Disable the implicit grant flow**
 
 Prior to the introduction of PKCE, the implicit grant flow was the recommended
 solution for applications which cannot secure a `client_secret`. Dropbox allows

shared_content/secrets/impact/oauth_token_compromise.adoc

@@ -1,4 +1,4 @@
-=== OAuth Token Compromise
+=== OAuth token compromise
 
 The OAuth 2.0 authorization code grant flow is a secure method of authorizing
 a web application to access a third-party service. After the user authenticates