SecuritySecretsDevOps
A single API key pushed to a public repo can be scraped by bots within minutes and rack up thousands in charges. Secrets management isn't optional — here's the baseline every project needs.
Step 1: Keep Secrets Out of Git
bash
# .gitignore
.env
.env.local
*.pemCommit a .env.example with empty placeholders so teammates know which variables to set, but never the real values.
Step 2: Use a Real Secret Store in Production
- Cloud-native: AWS Secrets Manager, GCP Secret Manager, Azure Key Vault.
- Platform: Vercel/Netlify environment variables, GitHub Actions Secrets.
- Self-hosted: HashiCorp Vault for centralized, audited secret access.
Step 3: Rotate and Scan
Rotate keys periodically and immediately if exposed. Add a secret scanner (gitleaks, GitHub secret scanning) to your CI so a committed key fails the build instead of reaching production.
Already Leaked a Key?
Rotating beats deleting. Removing the commit doesn't help — it's in the git history and likely already scraped. Revoke and reissue the credential immediately.
