Re: Best way to secure external API keys?

Wed, 12 Feb 2020 05:39:25 -0800

Re: Best way to secure external API keys?

Typically, API keys can be stored outside the app: environment variables, configuration files, on a remote server, etc. The key when storing API keys is to give them *only* the privileges they require. If you want to utilize AWS secrets manager, for example, but you only want to read secrets, only give the key read-only access to AWS secrets manager and nothing else. Store the API key in a place that your application can access but that is not known by an attacker. For ideas, see stack overflow questions like this one. The ultimate key with API keys is that you use the principal of least privilege: should an attacker acquire your key, the worst they can do is limited to the privileges you gave to that key. If you've given the key read only access to something, the key is useless to an attacker.
Here are some good rules for storing API credentials in particular, as written by OSU:

  • Do not embed API keys / secrets directly in code.

  • Do not store API keys / secrets in files inside your application, including the application’s source tree.

  • If you do accidentally commit an API key / secrets to version control, revoke it immediately and generate a new one.

  • Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.

  • Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.

  • Put the configuration file containing the API keys / secrets in the revision control ignore (ex. .gitignore). This prevents committing them by mistake in the future.

  • Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and apps that need them.

  • Don't share your API keys / secrets with different applications. If more than one application uses the same API, register each application to get a new set of API keys / secrets.

  • Delete unneeded API keys / secrets.

  • Update (Regenerate) your API keys / secrets periodically.

URL: https://forum.audiogames.net/post/500645/#p500645

-- 
Audiogames-reflector mailing list
Audiogames-reflector@sabahattin-gucukoglu.com
https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
  • ... AudioGames . net Forum — Developers room : Nuno via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Nuno via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Ethin via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Ethin via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Nuno via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Ethin via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : Nuno via Audiogames-reflector
    • ... AudioGames . net Forum — Developers room : camlorn via Audiogames-reflector

Reply via email to