Hacker Newsnew | comments | show | ask | jobs | submitlogin

I keep secrets in the DB. Only thing in the ENV that matters is DATABASE_URL. I'm surprised more people don't do this.

I like this approach but there is a trade-off - you're an SQL injection away from losing your secrets, as opposed to a RCE or file reading bug when they're stored in .env. SQL injection bugs are more likely.


We use figaro and have a table called variables that overrides the former. Also, we can restart the app from itself and see log files live.


Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact