Handle secrets like API keys securely in javascript projects with environment variables

Рет қаралды 2,209

9 ай бұрын

In this video we look at how to effectively use the dotenv npm package to securely use secrets like API keys by loading them into your project as environment variables. To do this we first place our secrets in a .env file and the dotenv project will load these in as env variables.
You can find a copy of the code used in this video in my public GitHub repository - github.com/mackenziejj/node-e...

Пікірлер: 11

@mk72v2oq 8 ай бұрын

Worth mentioning that Node.js recently (20.6) introduced native support for .env files. So if your application supposed to run on new versions, you can drop dotenv dependency.

@dotenvx 8 ай бұрын

there's some caveats - no multiline support, no override support, no expansion support, and no .env.vault support. We wrote about it on our blog.

@Ameer_Ameen 8 ай бұрын

perfect video, thank you so much!

@ecstasy3129 6 ай бұрын

Good

@richardnpaul_mob 8 ай бұрын

ps -e reveals those secrets so env vars are not the best idea either (better than hard coding but there are better ways yet than env vars)

@GitGuardian 8 ай бұрын

We agree but this really gets into a deep conversation about the architecture behind your application and what is infrastructure it is running on. Envrionment variables won't be exposed unless one or more applications are already compromised so while it is not the most secure way, it is a good starting point in understanding how to handle secrets.

@richardnpaul_mob 8 ай бұрын

@@GitGuardian that's fair though it's always good to know that there are downsides and potentially better approaches even if you're showing the most balanced approach in terms of trade-offs between effort to implement and deploy versus amount of improvement it gives 👍😊

@GitGuardian 8 ай бұрын

@@richardnpaul_mob Good points, next videos on my planned list are using secrets managers and vaults for secrets. We appreciate you giving us feedback 👍

@richardnpaul_mob 8 ай бұрын

@@GitGuardian I'd better subscribe then 😊

@mk72v2oq 8 ай бұрын

If your production environment is compromised, you are screwed. It doesn't really matter if env variables are visible, because malicious actor can simply directly read .env file (or whatever place you store secrets in) anyway.