His alternative suggestion is to use Docker's secret-keeping functionality, but that's assuming that you're using Docker.which I'm not. These seem soundly reasonable to me, but I am not a security professional. Specific environment variables will not handle them appropriately/withĬare (filtering them to sub-processes, etc). New engineers who are not aware of the sensitive nature of Putting secrets in ENV variables quickly turns into tribal knowledge. When applications crash, it's common for them to store the environment variables in log-files for later debugging. Third-party tool has access to your environment, and god knows what it Third-party tool to perform some action-all of a sudden that Imagine that as part of your application, you call to a Leaked to PagerDuty that they have a well-greased internal process toĮnvironment variables are passed down to child processes, which allows for unintended access. It's common to have applications grab the whole environment and print it out for debugging or error reporting. Given that the environment is implicitly available to the process, it's hard, if not impossible, to track access and how the contents get After reading this blog post in which the author lays out arguments against using environmental variables for storing secrets, I am unsure how to proceed with deploying my application.
0 Comments
Leave a Reply. |