Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.7k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Mise en Place for Ecto
nicholasjhenry
0
5
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
13
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
99
The Upside Down Dimension of Elixir - ElixirConf
nicholasjhenry
0
2
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
200
Building the Montreal Elixir Community
nicholasjhenry
0
53
How Elixir is Transforming My Mind
nicholasjhenry
1
5.9k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.9k
Other Decks in Programming
See All in Programming
複雑なドメインに挑む.pdf
yukisakai1225
5
1.2k
Android 16 × Jetpack Composeで縦書きテキストエディタを作ろう / Vertical Text Editor with Compose on Android 16
cc4966
2
270
Zendeskのチケットを Amazon Bedrockで 解析した
ryokosuge
3
320
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
時間軸から考えるTerraformを使う理由と留意点
fufuhu
16
4.8k
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
1.3k
プロパティベーステストによるUIテスト: LLMによるプロパティ定義生成でエッジケースを捉える
tetta_pdnt
0
4.3k
Processing Gem ベースの、2D レトロゲームエンジンの開発
tokujiros
2
130
請來的 AI Agent 同事們在寫程式時,怎麼用 pytest 去除各種幻想與盲點
keitheis
0
130
AIでLINEスタンプを作ってみた
eycjur
1
230
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.3k
Tool Catalog Agent for Bedrock AgentCore Gateway
licux
7
2.6k
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
83
9.2k
Practical Orchestrator
shlominoach
190
11k
Mobile First: as difficult as doing things right
swwweet
224
9.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
930
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
850
The Pragmatic Product Professional
lauravandoore
36
6.9k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
The Cult of Friendly URLs
andyhume
79
6.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
Context Engineering - Making Every Token Count
addyosmani
3
62
What's in a price? How to price your products and services
michaelherold
246
12k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca