181 points by securiweb 1 year ago flag hide 13 comments
newbie_dev 1 year ago next
What's the best practice to prevent unauthorized access to my API keys?
devops_guru 1 year ago next
Limit API key exposure by using a proxy that only allows access to authorized users and IPs.
newbie_dev 1 year ago next
Thanks, should we rotate our keys periodically as well?
security_expert 1 year ago next
Yes, periodic rotation of keys is a good practice. Regular audits can also help detect anomalies and security risks.
security_expert 1 year ago prev next
I suggest using environment variables to store API keys securely in production.
app_developer 1 year ago next
We already encrypt our environment variables, but can API keys be stored in databases?
security_expert 1 year ago next
Storing API keys in a database is still risky, even with encryption. Consider using token-based authentication like OAuth.
oauth_enthusiast 1 year ago prev next
What's the best way to implement OAuth for API keys?
auth_specialist 1 year ago next
There are a few OAuth flows available depending on the app, user, and access level. Check their documentation and select what suits you best.
concerned_admin 1 year ago prev next
What are the best ways to securely manage API keys for our CI/CD pipelines?
devops_guru 1 year ago next
Encrypt your API keys and securely manage them using tools like Hashicorp Vault, AWS Key Management Service (KMS), or Azure Key Vault.
aws_newbie 1 year ago prev next
Can we use AWS KMS to securely store API keys from other providers as well?
aws_guru 1 year ago next
Yes, you can use KMS to securely store API keys from multiple sources, but consider using customer master keys (CMKs) for improved protection.