Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.7k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Mise en Place for Ecto
nicholasjhenry
0
3
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
12
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
99
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
200
Building the Montreal Elixir Community
nicholasjhenry
0
52
How Elixir is Transforming My Mind
nicholasjhenry
1
5.9k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.9k
Other Decks in Programming
See All in Programming
tool ディレクティブを導入してみた感想
sgash708
1
150
オープンセミナー2025@広島LT技術ブログを続けるには
satoshi256kbyte
0
140
兎に角、コードレビュー
mitohato14
0
150
あなたとJIT, 今すぐアセンブ ル
sisshiki1969
1
740
Google I/O recap web編 大分Web祭り2025
kponda
0
2.9k
[FEConf 2025] 모노레포 절망편, 14개 레포로 부활하기까지 걸린 1년
mmmaxkim
0
1.3k
Kiroの仕様駆動開発から見えてきたAIコーディングとの正しい付き合い方
clshinji
1
180
Azure SRE Agentで運用は楽になるのか?
kkamegawa
0
480
TanStack DB ~状態管理の新しい考え方~
bmthd
2
350
🔨 小さなビルドシステムを作る
momeemt
2
610
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
280
A Gopher's Guide to Vibe Coding
danicat
0
180
Featured
See All Featured
It's Worth the Effort
3n
187
28k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
How GitHub (no longer) Works
holman
315
140k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Six Lessons from altMBA
skipperchong
28
4k
For a Future-Friendly Web
brad_frost
179
9.9k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca