• @ExtraMedicated
    link
    English
    89 months ago

    You shouldn’t be hard-coding API keys, and definitely not committing them to the repository.

      • @ExtraMedicated
        link
        English
        39 months ago

        I guess it depends on who should have access to them, but at the company I work for, we keep all the private config files backed up in a secure place (local network server, encrypted cloud storage, whatever) and the config files are added to .gitignore. This is especially important for databases with personal info.

      • @pixxelkick
        link
        English
        29 months ago

        We load all secrets in from an instance of Hashicorp Vault we have running.

        It’s pretty easy API to use, has packages for most languages, has a solid docker image, and is compatible with pretty much every type of storage under the sun.

      • @[email protected]
        link
        fedilink
        English
        09 months ago

        I think, and i could be wrong, but you should be storing them in a password manager style service, and then have your application pull them out.

        Which is just commiting the keys with extra steps I guess :/

    • @tmRgwnM9b87eJUPq
      link
      English
      19 months ago

      For local development you would definitely keep them in a config file. Nothing wrong with that.

      For production they are set during the release process.

      Nothing is more expensive than developers needing to find all the configs and keys to just start up a project to make a small fix somewhere.

      • @pixxelkick
        link
        English
        39 months ago

        A config file outside of the repository to be specific.

        On Linux it can go somewhere under ~

        On windows it can go somewhere in AppData

        Ie; ~/YourAppName/Secrets.json or whatever your config file flavor is. Json, yaml, xml, whatevs

        • @tmRgwnM9b87eJUPq
          link
          English
          19 months ago

          No. For development purposes I want my devs to be able to clone the repo and start.

          So the development config files are inside the repositories.

          • @DoomBot5
            link
            English
            09 months ago

            Wow, that’s a terrible security process even for development configs. How about adding a script they can run right after cloning to pull the needed keys from a secure location using their own user credentials? Plenty of solutions out there.

            • @tmRgwnM9b87eJUPq
              link
              English
              09 months ago

              So let’s say the code base leaks.

              Let’s say our VPN was also compromised.

              Then what is the worst that can happen? Some internal dev api with no real data in it can be tested by hackers.