I want to share my project on GitHub with other people so that they can review my code.
However, inside the project files there is my API-Key, which would be visible for every one.
Appreciate any tips or suggestions.
However, inside the project files there is my API-Key, which would be visible for every one.
Yes they will be visible to everyone and they should never be place in your code.
- Would it be a problem?
The problem with having secrets hard coded in your code is that they can be accidentally exposed in git commits off any repository you host online. Hackers are listening in the Github API endpoint /events
and will scan immediately any commit that comes in for secrets and in a question of minutes they may be using your secrets to access any third part services in your behalf, and then you may have a story to tell like the famous My $2375 Amazon EC2 Mistake.
All this and a little more can be found in a recent article I wrote, that can be found here:
Here are some examples of places where exposure of API Keys, tokens, passwords, cloud credentials, and other secrets have been found:
- In code that is committed to github, gitlab and other online repositories of code.
- At CI pipelines and automation tools on the cloud.
- When copy pasting code to places like Stackoverflow, Forums, Issues trackers, etc.
- Is there any way to hide the API-Key?
Well to hide it from the source code you just need to use environment variables and normally programming languages support it, and the most common approach is to have them in a .env
file in the root of your project. Bear in mind that this .env
file must be added to the .gitignore
file to prevent leaking your secrets into the code repository.
Further improvements can be achieved in a production deployment by using vaults to provide secrets to your code, like by using the Hashicorp Vault project on Github:
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
- Anything else that I should know in regard of sharing projects?
Always make easy for people to contact you in order to report security issues in your project, by providing an email in the form of [email protected]
or by placing your Twitter Handler in the README and ask them to contact you via private messages, but remember to leave private messages open to any Twitter user, otherwise they will not be able to send you one.
You should also mention in the README that Github issues shouldn't be used to report the security vulnerabilities, because that will make them visible to everyone.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With