Hacker News new | past | comments | ask | show | jobs | submit login

I recommend putting your app's API keys into environment variables instead of configuration files for this reason.

Could you go through this process? I just did something where I used a file that was outside my repo but I knew there must be a best practice that I just didn't know about. What is it?

The implementation varies depending on your framework and personal preferences.

For development, I usually use a file named .env in the same directory as my project, and then do whatever I can to guarantee that this file won't be added to my repo (or other public places). I use .gitignore_global to exclude .env files, for instance.

For production, if you're running your app on a service like Heroku, they have commands you can execute to securely set environment variables on their server (since they discourage accessing the filesystem to load the .env file).

For Rails, take a look at the dotenv-rails gem. It's pretty convenient. https://github.com/bkeepers/dotenv

Here is the Heroku article on the topic (might not apply directly to your situation, but the principal is key): https://devcenter.heroku.com/articles/config-vars

Rails 4.1 includes something similar to dotenv:


A secrets.yml which is globally accessible via Rails.application.secrets, and should be in the default .gitignore from Github for Rails projects

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact