re: What are some fundamentals of security every developer should understand? VIEW POST

VIEW FULL DISCUSSION
 

API Keys are just as sensitive as a username and password combination!

  • Don't expose them in publicly accessible repositories or source code.
  • Do configure them as server environment variables in a contained environment.
 

I'd add: never even commit a credential (password/API key/etc) to your repo. I'd argue this applies to any repo, not just open source ones, since you never know what might happen to the repo in the future. Even if you remove the credential in a future commit, it still exists in the history.

 

GitHub is pretty good with that, if they detect that one of their keys was committed and pushed to GitHub they'll let you know and disable the key.

 

Yeah too true.

Just FYI if anyone has hit this issue before: ‘Bfg repo cleaner’ can clean the repository of any traces of files, however if you’re working on a team project the key can spread like a virus as it will ‘infect’ branches stemmed off of master in the future (if this passed code review of course). I had to deal with a situation similar to this as someone had committed a global config file containing passwords which was only meant for development. Fun times. Of course the solution for deeming an API key pair useless is just to regenerate the key, however passwords are a different story if you don’t want a history of previous passwords being revealed.

code of conduct - report abuse