Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.5k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
86
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
180
Building the Montreal Elixir Community
nicholasjhenry
0
50
How Elixir is Transforming My Mind
nicholasjhenry
1
5.7k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.7k
Other Decks in Programming
See All in Programming
Kubernetesで実現できるPlatform Engineering の現在地
nwiizo
2
1k
ベクトル検索システムの気持ち
monochromegane
8
1.8k
Firebase Dynamic Linksの代替手段を自作する / Create your own Firebase Dynamic Links alternative
kubode
0
120
アプリのビルドを楽にするかわいいスクリプトを作ってみた
reimim
0
120
20250326_生成AIによる_レビュー承認システムの実現.pdf
takahiromatsui
2
210
보일러플레이트 코드가 진짜 나쁜 건가요?
gaeun5744
0
350
2025/3/18 サービスの成長で生じる幅広いパフォーマンスの問題を、 AIで手軽に解決する
shirahama_x
0
130
PromptyによるAI開発入門
ymd65536
1
330
はじめてのIssueOps - GitHub Actionsで実現するコメント駆動オペレーション
tmknom
7
2.1k
研究開発と実装OSSと プロダクトの好循環 / A virtuous cycle of research and development implementation OSS and products
linyows
1
180
SLI/SLOの設定を進めるその前に アラート品質の改善に取り組んだ話
tanden
2
420
JavaOne 2025: Advancing Java Profiling
jbachorik
1
290
Featured
See All Featured
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
A Philosophy of Restraint
colly
203
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Faster Mobile Websites
deanohume
306
31k
For a Future-Friendly Web
brad_frost
176
9.6k
Testing 201, or: Great Expectations
jmmastey
42
7.3k
BBQ
matthewcrist
88
9.5k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Git: the NoSQL Database
bkeepers
PRO
429
65k
Become a Pro
speakerdeck
PRO
26
5.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca