Where to store secrets in our Node-express app
Question
What is the best place to store secrets in your Node-express app.
Earlier, I used to store it in .env file and work with npm dotenv extension and pass it by doing something like this
process.env.MYSECRET
But it appears that this isn't the correct way. Why? for once
Firebase CLI currently doesn't allow you to set process environment variables o
The other way I encountered is creating a config file which have all our API key's and put it in gitignore but I don't want import it from my config folder over and over agin.
So being puzzled, THought about asking it here
2 answers
solution1
0 2019-01-31 21:35:37
It is not safe to store your secrets in env variables because a simple command like export would reveal all your env variables and their values. Plus, any dumps by logs could contain that too, it's just not that safe.
A slightly better option is to store a key in your config file, say my-db-pw (silly example) and when bootstrapping your app, you read the value from a key-value store. If you're using AWS (like we are) we use AWS Secrets Manager . Regardless, your password ends up being stored in RAM, which is a bit safer than env variables. And you don't need to call your secret storage every time you need a password: just call it once when your app loads, which satisfies most needs. If the password fails, then you can code to re-retrieve them.
With all of that said, a better way is hashing them. However, this seems a bit off topic, but here's a good starting point and this source here expands it. Basically, hashing is a one way algorithm. Say your password is "123" and the hash becomes "sadcdsc-324". Then when the routine (program) comparing both passwords, it'll also hash "123" internally and get the same "sadcdsc-324", and that's what gets compared. Sorry if this is off topic, but I wanted to mention this as well to be thorough.
Finally, there's encryption, but that's usually overkill for scenarios like you described.
All in all, it seems a local file config is enough for what you want, as RAM is still safer than env variables. If you want more security, you can add hashing as described above.
solution2
0 2019-04-29 04:00:05
Secrets like API keys should only be accessible to your server code and if saved to a file, excluded from your source code using a .gitignore rule.
Solution for Firebase NodeJS Cloud Functions:
- Use
firebase config:setto store your Firebase project API keys. - Create yourself a serverless function that uses the key for your client to use.
- (optional) Secure access to your new serverless API.
Example:
$ firebase functions:config:set myapp.apikey=https://hooks.slack.com/services/XXX
Then from either your local emulator or in deployed code you can use:
const functions = require('firebase-functions');
const apikey = functions.config().myapp.apikey;
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.