• MajorHavoc@programming.dev
      0·
      4 months ago

      I actually do have a dollar for every API key I or my team have committed inside a config file.

      And…I’m doing pretty well.

      Also, I’ve built some close friendships with our Cybersecurity team.

    • marcos@lemmy.world
      0·
      4 months ago

      Here’s the thing, config.json should have been on the project’s .gitignore.

      Not exactly because of credentials. But, how do you change it to test with different settings?

      • MajorHavoc@programming.dev
        0·
        4 months ago

        But, how do you change it to test with different settings?

        When it’s really messy, we:

        • check in a template file,
        • securely share a .env file (and .gitignore it)
        • and check in one line script that inflates the real config file (which we also .gitignore).
      • deegeese@sopuli.xyz
        0·
        4 months ago

        For a lot of my projects, there is a config-<env>.json that is selected at startup based the environment.

        Nothing secure in those, however.