Hacker News new | comments | show | ask | jobs | submit login

I keep secrets in the DB. Only thing in the ENV that matters is DATABASE_URL. I'm surprised more people don't do this.

I like this approach but there is a trade-off - you're an SQL injection away from losing your secrets, as opposed to a RCE or file reading bug when they're stored in .env. SQL injection bugs are more likely.

We use figaro and have a table called variables that overrides the former. Also, we can restart the app from itself and see log files live.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact