> accidentally committed a code change that contained an active site-admin access token
Our regular reminder to try keep credentials and other security tokens well away from any source code where-ever possible, even if that might mean making things a touch less convenient.
I'd guess that most of us have checked in or otherwise posted a credential at some point in our careers. I've certainly done it in the past with an application DB connection string and had to do the quick reconfigure to revoke that access¹ – in that instance resolution was quick & easy but for other environments it might be a lot more admin.
Being careful isn't the solution because mistakes will always happen, making it damn near impossible to accidentally post credentials is the way to go.
--
[1] even though the repo checked into could only be accessed from within the company, and the DB instance in question was locked down so only the application servers and the limited few with access to a VPN connecting to its subnet, good practise dictated immediate full revocation just in case
Our regular reminder to try keep credentials and other security tokens well away from any source code where-ever possible, even if that might mean making things a touch less convenient.
I'd guess that most of us have checked in or otherwise posted a credential at some point in our careers. I've certainly done it in the past with an application DB connection string and had to do the quick reconfigure to revoke that access¹ – in that instance resolution was quick & easy but for other environments it might be a lot more admin.
Being careful isn't the solution because mistakes will always happen, making it damn near impossible to accidentally post credentials is the way to go.
--
[1] even though the repo checked into could only be accessed from within the company, and the DB instance in question was locked down so only the application servers and the limited few with access to a VPN connecting to its subnet, good practise dictated immediate full revocation just in case