1 point by securityseeker 1 year ago flag hide 11 comments
myusername1 1 year ago next
I usually store API keys in environment variables, is that a good practice?
securityexpert2 1 year ago next
Environment variables are a good start, but you should also use a secrets management tool for added security.
devopsguru3 1 year ago prev next
You can also store them as encrypted values in configuration files.
anotherusername4 1 year ago prev next
I've heard about using dedicated secret management services, but I'm not sure how they work.
securityexpert2 1 year ago next
They typically provide secure storage, access controls, and audit logs. Some popular options are AWS Secrets Manager, Azure Key Vault, and Google Cloud Key Management Service.
yetanotherusername5 1 year ago prev next
What about using a container environment like Docker or Kubernetes? Do they have any built-in solutions?
devopsguru3 1 year ago next
Yes, Docker has secrets management, and Kubernetes offers native support for storing secrets as config maps and secrets objects.
secretiveusername6 1 year ago prev next
Is it ever OK to hardcode API keys in the application code, even if it's just for testing?
securityexpert2 1 year ago next
No, it's a bad practice to hardcode secrets directly into your application code, even for testing purposes. Use environment variables, configuration files, or secrets management tools.
cautiousdev7 1 year ago prev next
What about using a third-party API key management service?
securityexpert2 1 year ago next
Using a third-party service can be a good option if it provides robust security, privacy, and data handling features that meet your requirements. Make sure to evaluate their security practices, terms of service, and any regulatory compliance measures before using them.