re: What are some fundamentals of security every developer should understand? VIEW POST

re: I'd add: never even commit a credential (password/API key/etc) to your repo. I'd argue this applies to any repo, not just open source ones, since y...

Yeah too true.

Just FYI if anyone has hit this issue before: ‘Bfg repo cleaner’ can clean the repository of any traces of files, however if you’re working on a team project the key can spread like a virus as it will ‘infect’ branches stemmed off of master in the future (if this passed code review of course). I had to deal with a situation similar to this as someone had committed a global config file containing passwords which was only meant for development. Fun times. Of course the solution for deeming an API key pair useless is just to regenerate the key, however passwords are a different story if you don’t want a history of previous passwords being revealed.

code of conduct - report abuse