Not even within 24 hours, a recently launched website was being sniffed for secrets. A bot was searching for a .env file where some projects store secrets. Fortunately, this website was protected by Cloudflare.
What can we learn from this?
The .env file should be treated as a potential source of a cyber breach. We should be cautious about what data we store there.
Should we put secrets in the .env file?
No, when possible.
Where should we store and use secrets?
Store secrets in a secrets manager or database. Limit the use of secrets to the backend code (i.e., the code not used in the frontend web application code).
How can we protect the .env file?
We should use a Web Application Firewall to stop external HTTP requests from reading this file. The file should only be read by the application code.
Originally published on Medium
Top comments (0)