diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
index adcd6fc47159..b2d00e38c284 100644
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
@@ -19,6 +19,10 @@
   If possible, store configuration files including credential data separately from the source code,
   in a secure location with restricted access.
 </p>
+<p>
+  If the credentials are a placeholder value, make sure the value is obviously a placeholder by 
+  using a name such as <code>"SampleToken"</code> or <code>"MyPassword"</code>.
+</p>
 </recommendation>
 
 <example>
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
index 0a9edfb64f86..fc41f193149c 100644
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -274,6 +274,15 @@ nodes
 | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
 | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
 | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
+| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
+| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
+| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
+| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
+| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
+| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
+| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -403,6 +412,9 @@ edges
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
 | HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
+| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
+| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
+| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -468,3 +480,4 @@ edges
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | authorization header |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | authorization header |
+| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
index b033764f2648..d1543f16dc75 100644
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -297,4 +297,7 @@
 
 (function () {
     require('crypto').createHmac('sha256', 'mytoken'); // OK
+    require('crypto').createHmac('sha256', 'SampleToken'); // OK
+    require('crypto').createHmac('sha256', 'MyPassword'); // OK
+    require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
 })();
\ No newline at end of file