Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.7k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
10
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
98
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
200
Building the Montreal Elixir Community
nicholasjhenry
0
52
How Elixir is Transforming My Mind
nicholasjhenry
1
5.8k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.9k
Other Decks in Programming
See All in Programming
構造化・自動化・ガードレール - Vibe Coding実践記 -
tonegawa07
0
160
DatadogのArchived LogsをSnowflakeで高速に検索する方法(Archive Searchでオワコンにならないことを祈って) / How to search Datadog Archived Logs quickly with Snowflake (hoping Datadog Archive Search doesn’t make this obsolete)
civitaspo
0
100
Prompt Engineeringの再定義「Context Engineering」とは
htsuruo
0
110
リバースエンジニアリング新時代へ! GhidraとClaude DesktopをMCPで繋ぐ/findy202507
tkmru
7
1.7k
AIコーディングエージェント全社導入とセキュリティ対策
hikaruegashira
15
9.1k
知って得する@cloudflare_vite-pluginのあれこれ
chimame
1
130
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
fumiyakume
21
9.9k
ZeroETLで始めるDynamoDBとS3の連携
afooooil
0
140
[SRE NEXT] 複雑なシステムにおけるUser Journey SLOの導入
yakenji
1
880
Bedrock AgentCore ObservabilityによるAIエージェントの運用
licux
8
540
Vibe coding コードレビュー
kinopeee
0
390
[Codecon - 2025] Como não odiar seus testes
camilacampos
0
100
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
Six Lessons from altMBA
skipperchong
28
3.9k
We Have a Design System, Now What?
morganepeng
53
7.7k
Docker and Python
trallard
45
3.5k
Designing for Performance
lara
610
69k
Mobile First: as difficult as doing things right
swwweet
223
9.8k
Rails Girls Zürich Keynote
gr2m
95
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
Why Our Code Smells
bkeepers
PRO
337
57k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca