DEV Community

loading...
Cover image for A friendly reminder: Do not commit your keys!

A friendly reminder: Do not commit your keys!

gaesrare profile image Gabriel Ramirez ・Updated on ・2 min read

I was reading my daily dose of Dev.to today when I found one of that projects that make you say: Woah, I need to see the code. So, I went to GitHub and started to see the commits. Sadly, it was a finalized project commit, so that I couldn't see the story behind the app... But I noticed something terrifying for any dev, and it was that this user committed all his secret keys!

At first, I was planning to leave a comment. I mean, it wasn't bad intentioned. But then, I thought about it, that's dangerous too!

So I decided to write this post so that other users will have a friendly reminder in their daily feed.

How this happens?

With personal projects, we tend to be very laidback with the commits we do(I have committed "fixed a semicolon, should work now"), but all we commit are saved on our project's history. EVERYTHING.

Commits keep everything exposed

For that reason, we need to be careful to commit any sensitive information to Github, especially if we will use public files. (I made the same mistake in the past).

How we can fix this

I don't want to go into much detail; every language has a slightly different implementation. And the complexity of the solution may also be different depending on how big your project is.

But the answer I would give 9/10 times would be .env or other files that you instantly add into the .ignore file.

Link to another dev.to post that explains it: https://dev.to/mojemoron/the-environment-variables-pattern-4dai

Again, be careful and happy coding!

Discussion (0)

pic
Editor guide