Next AI News

Ask HN: Best Practices for Securely Storing API Keys(news.ycombinator.com)

17 points by security_concerned 1 year ago flag hide 14 comments

securityexpert1 1 year ago next
I always suggest using environment variables and ensuring they are not checked into version control systems. Rotate API keys regularly and never hard code them into your application.
- newbieprogrammer 1 year ago next
  Thanks! Are there any recommended ways to secure these environment variables?
- jwtenthusiast 1 year ago prev next
  Or just use JWT and never worry about API keys again! (kidding, don't do that)
oauthguru 1 year ago prev next
Consider using OAuth when possible. It offloads the security burden onto the service provider and allows for more fine-grained control over permissions.
- securityexpert1 1 year ago next
  True, but not all service providers support OAuth and in certain cases API keys might be the only option.
dotnetdev 1 year ago prev next
In the .NET world, consider using the Azure Key Vault for securely storing API keys and other sensitive information.
awsguy 1 year ago prev next
On AWS, we use AWS Systems Manager Parameter Store to manage secure API keys and other sensitive information.
golangpro 1 year ago prev next
In the Go world, you can use the `os/env` package for managing environment variables securely.
javascriptmaster 1 year ago prev next
For JavaScript devs, consider using the `dotenv` package for handling environment variables, specifically in a development environment.
pythonprogrammer 1 year ago prev next
If you're using Python, use the `os.environ` module for handling environment variables securely.
kubernetesking 1 year ago prev next
For Kubernetes users, check out the Secrets feature for storing sensitive information like API keys.
dockerdude 1 year ago prev next
Don't forget about Docker! Use the `--env-file` or `--secret` flags when running Docker containers.
devopsguru 1 year ago prev next
Consider using a third-party service like HashiCorp's Vault for securely storing and accessing sensitive data like API keys.
cloudcomputingchamp 1 year ago prev next
When working with serverless functions (e.g. AWS Lambda, Azure Functions), you can leverage the platform's built-in functionality for secure API key management.

securityexpert1 1 year ago next
I always suggest using environment variables and ensuring they are not checked into version control systems. Rotate API keys regularly and never hard code them into your application.
- newbieprogrammer 1 year ago next
  Thanks! Are there any recommended ways to secure these environment variables?
- jwtenthusiast 1 year ago prev next
  Or just use JWT and never worry about API keys again! (kidding, don't do that)
oauthguru 1 year ago prev next
Consider using OAuth when possible. It offloads the security burden onto the service provider and allows for more fine-grained control over permissions.
- securityexpert1 1 year ago next
  True, but not all service providers support OAuth and in certain cases API keys might be the only option.
dotnetdev 1 year ago prev next
In the .NET world, consider using the Azure Key Vault for securely storing API keys and other sensitive information.
awsguy 1 year ago prev next
On AWS, we use AWS Systems Manager Parameter Store to manage secure API keys and other sensitive information.
golangpro 1 year ago prev next
In the Go world, you can use the `os/env` package for managing environment variables securely.
javascriptmaster 1 year ago prev next
For JavaScript devs, consider using the `dotenv` package for handling environment variables, specifically in a development environment.
pythonprogrammer 1 year ago prev next
If you're using Python, use the `os.environ` module for handling environment variables securely.
kubernetesking 1 year ago prev next
For Kubernetes users, check out the Secrets feature for storing sensitive information like API keys.
dockerdude 1 year ago prev next
Don't forget about Docker! Use the `--env-file` or `--secret` flags when running Docker containers.
devopsguru 1 year ago prev next
Consider using a third-party service like HashiCorp's Vault for securely storing and accessing sensitive data like API keys.
cloudcomputingchamp 1 year ago prev next
When working with serverless functions (e.g. AWS Lambda, Azure Functions), you can leverage the platform's built-in functionality for secure API key management.