DEV Community

Discussion on: Disclosing a State of JavaScript/State of CSS Data Leak

Collapse
daniel15 profile image
Daniel Lo Nigro

This is a good reminder to not store encryption keys in a repo. Ideally use something like Hashicorp Vault, but at least don't store them in files within the repo.

Collapse
stevealee profile image
SteveALee

Hosting systems like netlify, azure etc let you provide secrets via their UI and can be accessed from code through the process environment (process.env in node)

Collapse
sachagreif profile image
Sacha Greif Author

I'm not a huge fan of this solution either (it can lead to a lot of unsecure copy/pasting into Slack or Dropbox when you need to share the secrets, multiplying the number of places the secret exists) but it's true it would have avoided the problem in this specific case.

Thread Thread
stevealee profile image
SteveALee

It always comes back to that human error of the postit on the monitor with password. Lol