DEV Community

Discussion on: Sorry, I hacked you.

Collapse
kaydacode profile image
Kim Arnett 

Agree !! See this a lot in mobile apps too. Do you know what a good way to hide keys is? I see some people suggest putting them in a server call, but that doesn't make them any safer IMO. Thoughts?

Collapse
t0nylombardi profile image
Anthony Lombardi Author

Hacking a server is a lot harder IMO. Putting API keys in environment variables on the server is the most practical idea. I feel It is a lot easier to do "man-in-the-middle" attack on a website to manipulate data.

You can filter access to your server to allow data coming in from a few points. Also logging in through ssh with RSA Keys make it almost impractical to break that password.

Collapse
booradley profile image
boo radley

Secret management is becoming a core concern for configuration management. There's a number of tools that deal with this -- check out writeups like Infrastructure Secret Management Software Overview for details and comparisons

Collapse
faenor profile image
faenor

Several days ago I came across some post (altough old, I think still valid), explaining a method on how to store keys and passwords in your public repo.

zero-one.io/blog/2015/04/14/safely...