堆栈内存溢出
  简体   繁体   English

在哪里保留Web应用程序的私钥和凭据?

[英]Where to keep private keys and credentials for a web app?

 原文  2016-12-29 10:02:53       api/ security/ go/ web-applications/ key

问题描述

I have a webapp that uses keys and credentials to call API endpoints from external services like payment gateways, database providers, and such. 我有一个Web应用程序,该应用程序使用键和凭据从诸如支付网关,数据库提供者之类的外部服务调用API端点。

I have these options in mind to keep these values: 我谨记以下这些选项来保持这些值:

  1. Set environmental variables before app start and load them when the app runs. 在应用启动之前设置环境变量,并在应用运行时加载它们。 If required values are not available, eg not set, exit the app. 如果所需的值不可用(例如未设置),请退出应用程序。
  2. On app start, ask user (myself or an administrator) to enter the credentials. 在应用启动时,要求用户(我自己或管理员)输入凭据。 If required fields are empty, exit, otherwise continue loading the app. 如果必填字段为空,请退出,否则继续加载应用程序。
  3. Keep them in a config file as plain values. 将它们作为纯值保存在配置文件中。 This is the least preferable way as to me. 对我来说,这是最不推荐的方法。

Which of these should I use if I want to keep keys as safe and secure as possible? 如果我想尽可能安全地保管钥匙,应该使用哪个?

3 个解决方案

解决方案1
 2  2016-12-29 11:03:13

I would go with user environment variables , as it is recommended by both google and amazon . 我会使用用户环境变量 ,这是googleamazon都建议的。

If you go for storing in plain text files, remember to not keep them in your app's source tree (if you use some version control, you may end up exposing them to public). 如果要存储为纯文本文件,请记住不要将其保留在应用程序的源代码树中(如果使用某些版本控制,则可能最终将其公开)。

Also, remember to regenerate your keys periodically. 另外,请记住要定期重新生成密钥。

解决方案2
 1  2016-12-29 10:08:03

I think you should, as you said, use configuration files. 我认为您应该像您所说的那样使用配置文件。 And maybe encrypt it ? 也许加密它?

解决方案3
 0  2016-12-30 00:52:14

If you have lots of keys to manage, environment variables get clumsy. 如果要管理很多键,则环境变量会变得笨拙。 A hybrid approach works for me: encrypt the secrets and put them all in config (typically as base64). 混合方法对我有用:加密秘密并将其全部放入config(通常为base64)中。 Use the same encryption key for all of them, and pass it in as an environment variable. 对所有密钥使用相同的加密密钥,并将其作为环境变量传递。

So you only need to make one environment variable to secure as many other secrets as you need. 因此,您只需要设置一个环境变量即可根据需要保护尽可能多的其他机密。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Javascript Web App中保护私有API密钥 - Securing Private API keys in Javascript Web App 无法理解在哪里存储私钥 - Having trouble understanding where to store private keys Flutter web 中的api 密钥存放在哪里? - Where to store api keys in Flutter web? 如何为API驱动的Web应用程序保留登录凭据 - How To Persist Login Credentials for an API-driven Web App 如何在ILB ASE中将Web应用程序保持为api app调用 - How to keep web app to api app calls within ILB ASE 公钥和私钥API - Public and private API keys 如何在 azure 私有中制作网络应用程序/apiapp? - How do I make a web app/apiapp in azure private? 对于匿名提交给API的应用程序,我应该使用哪种凭证系统? - What credentials system should I use for an app where submissions to an API are anonymous? Steam Web API:我在哪里可以找到公共/私人的个人资料状态? - Steam Web API: Where I can find the profile status public/private? API设计-最好是为客户和我们的Web应用程序运行一个共享api或将其拆分为两个API(私有和公开)? - API Design - Would it be best to run a shared api for customers and our web app or split it into 2 apis, private and public?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM