Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Nicholas Henry
June 17, 2014
Programming
7.4k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
More Decks by Nicholas Henry
See All by Nicholas Henry
Mise en Place for Ecto
nicholasjhenry
0
35
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
34
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
130
The Upside Down Dimension of Elixir - ElixirConf
nicholasjhenry
0
22
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
240
Building the Montreal Elixir Community
nicholasjhenry
0
59
How Elixir is Transforming My Mind
nicholasjhenry
1
6.5k
Modeling on the Right Side of the Brain
nicholasjhenry
1
9.6k
Other Decks in Programming
See All in Programming
AIだと陥りがちなJakarta EE最新技術への移行時の落とし穴と解決策
tnagao7
0
120
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
280
Performance Engineering for Everyone
elenatanasoiu
0
220
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
mom0tomo
8
3.3k
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.3k
A2UI という光を覗いてみる
satohjohn
1
150
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
170
Skillsは効率化、Agentsは"自分の拡張"——Builder時代のエージェント編成(CC Night 2026)
wemra
1
160
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
220
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
180
TypeScript+Orvalで実現する型安全かつ堅牢でスケーラブルなマルチチャネル通知基盤 / TSKaigi Night talks ~after conference~
d0riven
0
360
The NotImplementedError Problem in Ruby
koic
1
940
Featured
See All Featured
The Curious Case for Waylosing
cassininazir
1
400
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
2
1.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
201
75k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
230
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.9k
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
marcoroth
2
240
How to Talk to Developers About Accessibility
jct
2
250
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Designing for Timeless Needs
cassininazir
1
260
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
GraphQLの誤解/rethinking-graphql
sonatard
75
12k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca