What are the best practices for using application keys (such as Twitter API keys or Parse.com keys) on a server?
We have some NodeJS code that needs to be deployed to a cloud server that will access the Twitter and Parse.com API. Is it safe to push the keys in a config.js module to a Git repo and then clone that repo on the server (or am I just being paranoid)?
Best How To :
Git repos can easily leak through insecure forks, one of the developer's computer getting infected, accidential exposures, etc.
Even if git repo is fully secure (impossible), you are opening other vectors of attack: what if you expand, get more people workign on a project? You essentially have to ultimately trust each of them with the keys.
There is no point in storing the keys in any version control software, just keep them somewhere safe with back-up, and upload to the final server using SSH.
Following best practices never hurts:
- Have structured but unfilled
config.js in repository to ease the setup.
- Use SSH or other secure methods to modify the
config.js on the final server, inserting the values.
P.S. You are not paranoid at all (it is hardly possible to be too cautious in this time).