Don’t Commit Your Secrets How to keep your application 
 secrets safe ! Nicholas Henry 

Your secrets are everywhere • Passwords • Credentials • API Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms 

No content

• Repository is shared among multiple parties • Increases your risk for a security exploitation Why is this a bad practice? 

• application is open source • application requires a high level of governance e.g. financial, healthcare • application involves transient contractors
 e.g. agency • application located on multiple services
 e.g. CodeClimate When is this a bad practice? 

When is this a bad practice? ALWAYS! 

• Environment Variables • Configuration files Your options 

Environment Variables # setting environment variable
 export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving from Ruby
 ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df 

1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695" 5 stripe_api_key: 07bfb7a5487dc6df Configuration File 

• Rails 4.1 application • Deploy to Heroku
 Platform as a Service (PaaS) • Configure Stripe with an API key
 Payment Gateway Demo 

• configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key Rails helps us keep secrets safe 

No content

Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base: <%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key 

• Don’t commit your secrets • If you have committed your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember 

nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca