Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.6k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
8
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
96
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
200
Building the Montreal Elixir Community
nicholasjhenry
0
52
How Elixir is Transforming My Mind
nicholasjhenry
1
5.8k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.8k
Other Decks in Programming
See All in Programming
都市をデータで見るってこういうこと PLATEAU属性情報入門
nokonoko1203
1
580
GitHub Copilot and GitHub Codespaces Hands-on
ymd65536
1
130
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
20
3.8k
Goで作る、開発・CI環境
sin392
0
180
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
250
ReadMoreTextView
fornewid
1
490
PostgreSQLのRow Level SecurityをPHPのORMで扱う Eloquent vs Doctrine #phpcon #track2
77web
2
410
deno-redisの紹介とJSRパッケージの運用について (toranoana.deno #21)
uki00a
0
160
C++20 射影変換
faithandbrave
0
550
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
bash0c7
1
650
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
480
VS Code Update for GitHub Copilot
74th
1
490
Featured
See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Bash Introduction
62gerente
614
210k
Testing 201, or: Great Expectations
jmmastey
42
7.6k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.8k
A Modern Web Designer's Workflow
chriscoyier
694
190k
Practical Orchestrator
shlominoach
188
11k
How to train your dragon (web standard)
notwaldorf
94
6.1k
4 Signs Your Business is Dying
shpigford
184
22k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca