8 points

You shouldn’t be hard-coding API keys, and definitely not committing them to the repository.

permalink
report
reply
2 points

What should you be doing with API keys?

permalink
report
parent
reply
3 points

I guess it depends on who should have access to them, but at the company I work for, we keep all the private config files backed up in a secure place (local network server, encrypted cloud storage, whatever) and the config files are added to .gitignore. This is especially important for databases with personal info.

permalink
report
parent
reply
2 points

We load all secrets in from an instance of Hashicorp Vault we have running.

It’s pretty easy API to use, has packages for most languages, has a solid docker image, and is compatible with pretty much every type of storage under the sun.

permalink
report
parent
reply
0 points

I think, and i could be wrong, but you should be storing them in a password manager style service, and then have your application pull them out.

Which is just commiting the keys with extra steps I guess :/

permalink
report
parent
reply
1 point

For local development you would definitely keep them in a config file. Nothing wrong with that.

For production they are set during the release process.

Nothing is more expensive than developers needing to find all the configs and keys to just start up a project to make a small fix somewhere.

permalink
report
parent
reply
3 points

A config file outside of the repository to be specific.

On Linux it can go somewhere under ~

On windows it can go somewhere in AppData

Ie; ~/YourAppName/Secrets.json or whatever your config file flavor is. Json, yaml, xml, whatevs

permalink
report
parent
reply
1 point

No. For development purposes I want my devs to be able to clone the repo and start.

So the development config files are inside the repositories.

permalink
report
parent
reply
3 points

Dear God. That’s like the first thing you’d test internally. We really do be moving fast, breaking things.

permalink
report
reply

appsec

!appsec@infosec.pub

Create post

A community for all things related to application security.

Community stats

  • 1

    Monthly active users

  • 98

    Posts

  • 27

    Comments

Community moderators