this post was submitted on 22 Sep 2023
18 points (95.0% liked)

appsec

335 readers
1 users here now

A community for all things related to application security.

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] ExtraMedicated@lemmy.world 8 points 1 year ago (9 children)

You shouldn't be hard-coding API keys, and definitely not committing them to the repository.

[–] infinity11@infosec.pub 2 points 1 year ago (3 children)

What should you be doing with API keys?

[–] ExtraMedicated@lemmy.world 3 points 1 year ago

I guess it depends on who should have access to them, but at the company I work for, we keep all the private config files backed up in a secure place (local network server, encrypted cloud storage, whatever) and the config files are added to .gitignore. This is especially important for databases with personal info.

[–] pixxelkick@lemmy.world 2 points 1 year ago

We load all secrets in from an instance of Hashicorp Vault we have running.

It's pretty easy API to use, has packages for most languages, has a solid docker image, and is compatible with pretty much every type of storage under the sun.

[–] CameronDev@programming.dev 0 points 1 year ago

I think, and i could be wrong, but you should be storing them in a password manager style service, and then have your application pull them out.

Which is just commiting the keys with extra steps I guess :/

load more comments (5 replies)