Back to Blog

    A Terrifying Tech Tale: Why Bad Code Can Be Dangerous (and Hilarious)

    Found hardcoded API keys in a live project — Stripe, MongoDB, everything. Here's why that's a major security risk (and how I’m fixing it right).

    A Terrifying Tech Tale: Why Bad Code Can Be Dangerous (and Hilarious)
    Maintenance horror story security
    This week, I was handed a new project by someone I work with — a referral from one of their clients. The client’s website looked great on the outside, but the backend wasn’t working. They asked me to take a look. What I found was… horrifying. Let me walk you through it — and explain a few technical terms along the way for those less familiar with developer jargon. First, What Went Wrong? The previous developer should honestly have their programming license revoked. (I know, I know… we’re not doctors — there are no licenses. But still, this was a crime.) Besides breaking every basic rule of clean code — from terrible file structure to randomly named functions — here’s the kicker: All the API keys were hardcoded directly into the source code. That’s right. Every single one. Stripe, MongoDB, and everything in between. What Does That Even Mean? Here’s a super short glossary: API key: Like a password that lets code access a service like payments (Stripe) or databases (MongoDB). Hardcoded: When sensitive info is written directly into the code instead of being stored securely. .env file: A hidden file used to store secret keys and config settings safely, outside of the visible codebase. Stripe: A popular service for handling online payments. MongoDB: A cloud-based database often used in modern web apps. And It Gets Better (or Worse) Before even looking at the code, the client paid me to move the API keys into a .env file — which would normally be a great step towards securing the project. Except… it was pointless. Because the original code had the API keys hardcoded everywhere. 🤦‍♂️ The Only Real Solution? Start. From. Scratch. So that’s what I’m doing — rebuilding this project the right way, with secure practices, clean code, and a structure that won’t give the next developer a heart attack. Why This Matters This isn't just a rant. It's a reminder for anyone hiring a developer (or learning to code): - Don’t just focus on how your site looks. - Make sure the backend is safe, scalable, and maintainable. - Security is not optional. I can't believe I need to say that. If you’re not sure how to check that, ask someone who does. Or bring someone like me in to review it before it becomes a nightmare. Want to avoid horror stories like this for your website? Feel free to reach out — I’m always happy to take a look. https://mosheschwartzberg.com/contact