Security Tip: Finding Secrets
[Tip#30] Who wants to go on a treasure hunt for secrets, credentials, and API keys?
Greetings my friends! I hope this email finds you all well. Before we get into our security tip for the week, I want to remind you about Laracon Online this week. It’s a completely free online event1 with lots of great speakers. I’ll be speaking in the final slot about web browser security features!
This week I’m covering one of the first things I do when starting a new security audit: searching for secrets, credentials and API keys. It’s rare to audit a site that doesn’t have some secrets hiding in the code, so it’s important for you to be aware of it and some of the tools we can use to easily audit our own apps.
👉 Security Audits: Want me to hack your app and help you improve your security? 🕵️
Secrets, API keys, credentials, passwords, encryption keys, private keys… the list goes on. There are a lot of different types of secrets that could appear in your code, either intentionally or otherwise. Maybe you commit your
auth.json so everyone can easily download Nova, or your Slack webhooks are hard-coded in a controller. Or maybe you accidently used
git add . and didn’t realise what files were being included…
There are many reasons why secrets could end up in your code repository, but you really don’t want your secrets stored in your code.