Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't Commit Your Secrets
Search
Nicholas Henry
June 17, 2014
Programming
0
6.6k
Don't Commit Your Secrets
How to keep your application secrets safe
Nicholas Henry
June 17, 2014
Tweet
Share
More Decks by Nicholas Henry
See All by Nicholas Henry
Beyond Mocks - Messing with Our Preconceptions of Testing
nicholasjhenry
0
8
Preventing Brain Freeze: Onboarding New Developers with Living Documentation
nicholasjhenry
0
97
The Upside Down Dimension of Elixir - An introduction to metaprogramming
nicholasjhenry
1
200
Building the Montreal Elixir Community
nicholasjhenry
0
52
How Elixir is Transforming My Mind
nicholasjhenry
1
5.8k
Modeling on the Right Side of the Brain
nicholasjhenry
1
8.8k
Other Decks in Programming
See All in Programming
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
2
650
TypeScriptでDXを上げろ! Hono編
yusukebe
2
440
AIプログラマーDevinは PHPerの夢を見るか?
shinyasaita
1
240
VS Code Update for GitHub Copilot
74th
2
670
Hack Claude Code with Claude Code
choplin
5
2.4k
A full stack side project webapp all in Kotlin (KotlinConf 2025)
dankim
0
130
ふつうの技術スタックでアート作品を作ってみる
akira888
1
1.1k
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
750
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
300
AIと”コードの評価関数”を共有する / Share the "code evaluation function" with AI
euglena1215
1
170
型で語るカタ
irof
0
370
Flutterで備える!Accessibility Nutrition Labels完全ガイド
yuukiw00w
0
170
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
700
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Agile that works and the tools we love
rasmusluckow
329
21k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
Thoughts on Productivity
jonyablonski
69
4.7k
Unsuck your backbone
ammeep
671
58k
Into the Great Unknown - MozCon
thekraken
40
1.9k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
How STYLIGHT went responsive
nonsquared
100
5.6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Transcript
Don’t Commit Your Secrets How to keep your application
secrets safe ! Nicholas Henry
Your secrets are everywhere • Passwords • Credentials • API
Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
None
• Repository is shared among multiple parties • Increases your
risk for a security exploitation Why is this a bad practice?
• application is open source • application requires a high
level of governance e.g. financial, healthcare • application involves transient contractors e.g. agency • application located on multiple services e.g. CodeClimate When is this a bad practice?
When is this a bad practice? ALWAYS!
• Environment Variables • Configuration files Your options
Environment Variables # setting environment variable export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving
from Ruby ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df
1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"
5 stripe_api_key: 07bfb7a5487dc6df Configuration File
• Rails 4.1 application • Deploy to Heroku Platform as
a Service (PaaS) • Configure Stripe with an API key Payment Gateway Demo
• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key
Rails helps us keep secrets safe
None
Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:
<%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key
• Don’t commit your secrets • If you have committed
your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember
nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca