Menu
We're making an app using PHP and using some third party services that require a secret API key. We have a PHP file that contains all those keys definitions that we then import (using require_once) when needed.
Is this approach safe? Should we store the keys in a different place?
Thank you.
202
Something similar was asked today for a shell script. The answer is valid here as well: Make sure you store the file outside the web root, or (if that's not possible) protect it using a .htaccess file.
I also like to unset() any variables containing sensitive data after use, so not even a full variable dump (e.g. in a debug message) later in that script could reveal it.
100
It should be relatively safe as long as the file is not accessible from the web. A lot of sites will place sensitive files outside of the webroot on the server, and simply include them when needed into their app.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
