I know that pushing a commit with an API key is something for which a developer should have his balls cut off, but…

…I’m wondering what I should do if, somehow, I accidentally commit an API key or other sensitive information, an environment variable to the repo.

Should I just revoke the access and leave it as is, or maybe locally remove this commit and force-push a new one without the key? How do you guys handle this situation in a professional environment?

  • FizzyOrange@programming.dev
    link
    fedilink
    arrow-up
    10
    ·
    4 months ago

    only access secrets from environment variables

    I kind of think this is a bad idea because environment variables can be read from anywhere and aren’t designed to be secret.

    But I’m not sure what a better solution is tbh.

      • katy ✨
        link
        fedilink
        arrow-up
        3
        ·
        4 months ago

        also storing them outside of the webserver directory

    • Pup Biru@aussie.zone
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      you’re not entirely wrong, but this is the current standard/accepted advice for local development - probably what we’re talking about given this thread is about git commits - because the chance of exploit via this mechanism requires local access… with such access, you’re pretty screwed in far more ways