Hacker News new | past | comments | ask | show | jobs | submit login

Putting keys in repos should not be done, full stop. Even if GitHub forks weren’t public, their _private_ repos could one day be compromised. Instead, store keys in a shared vault, .gitignore the .env and have a .env.example with empty keys.



Any time I hear “shouldn’t be done” I translate that to “will happen regularly”.

I do see this regularly in my work. All but one dev team I’ve worked with over the last few years has done this.


Don't blame the end user for doing something you don't want them to do if it is more convenient to do and works without immediate consequences. Redesign it or rethink your assumptions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: