Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to push code to Github hiding the API keys?

I want to push some codes to my GitHub Repository. These codes are in different languages like Javascript, Java, Python etc. Some of those codes contain some private API key that I don't want to publish.

Is there any way to hide the keys automatically.? Should I remove it from my code manually.?

There are many projects that I want to push to GitHub. So, manual removal is not a good option.

like image 866
Sreeram TP Avatar asked Jun 03 '17 09:06

Sreeram TP


People also ask

How do I hide API key when pushing to GitHub?

The only way to hide it is to proxy your request through your own server. Netlify Functions are a free way to add some simple backend code to a frontend app. This is this method I used while learning to program in college, where I needed to share my progress with my peer group without disclosing my API keys.

How do I hide my frontend API key?

You can't. Everything in the browser belongs to your user; they can see it all. If you are making a call with credentials that you want to hide you have to do it on the server side. It's not hard to just have the client hit your server and then have your SERVER make the sensitive call as the middle man.

Can you hide your code on GitHub?

No, it is not possible and YOU SHOULD NEVER put the credentials and other confidential data into the GitHub plaintext. There is lots of bots scanning through the git and gathering the passwords from there. It is not possible, because even If You would somehow be able to do this.


2 Answers

You should consider using .env files and read the keys from the environmental variables. How to do so depends on the language and tools you use (for node.js, php, etc.).

You can exclude .env file from commits by adding .env to the .gitignore. You can also upload an example configuration .env.example with dummy data or blanks to show the schema your application requires.

like image 153
Przemysław Zalewski Avatar answered Sep 22 '22 09:09

Przemysław Zalewski


Any time you have files with sensitive data like

config.yml 

you MUST NOT commit them to your repository. I'll show you an example.

Suppose you have a yaml file with some username and password:

# app/config/credentials.yml credentials:     username: foo     password: bar 

If you want to hide the foo and the bar values, remove this file from your repository, but add a distribution file that aims to maintain username and password fields, but without any real values:

# app/config/credentials.yml.dist credentials:     username: ~     password: ~ 

During installation you can get this file by copying app/config/credentials.yml.dist to app/config/credentials.yml.

Also, remember to add app/config/credentials.yml to your .gitignore file.

Its the same with api keys:

# app/config/config.yml config:     credentials:         username: foo         password: bar     api_stuffs:         api_foo: fooooo         api_secret: baaaaar         api_token: tooooken 

This works well for configuration files, and is a good pattern that saves you every time you need to share the structure of a configuration but not sensitive data. Init files, configurations and so on.

like image 23
sensorario Avatar answered Sep 22 '22 09:09

sensorario