Keeping API keys and access details for the database secure

Question

What is best practice for keeping API keys and access details for the database secure?

We will be deploying with Nodejitsus jitsu deploy so my thought is to have a config file that will not be part of git.

Our current config file which I will have .gitignore'd

module.exports = (app) ->

    app.configure 'development', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'xxx'
                client_secret: 'xxx'
                redirect_uri: 'http://127.0.0.1:3000/account/auth/foursquare/done'

        return

    app.configure 'production', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'yyy'
                client_secret: 'yyy'
                redirect_uri: 'http://example.com/account/auth/foursquare/done'

        return


    return

score 2 · Accepted Answer · answered May 04 '12 at 02:24

Usually what I do is store my configuration in a config.json, add it to my .gitignore, and then include a .npmignore so that npm doesn't use the .gitignore to decide what to bundle. That way, git doesn't add the config.json yet jitsu bundles it on deploy.

env variables, as booyaa suggested, will also work.

score 1 · Answer 2 · answered Apr 24 '12 at 08:08

1

You could store the API keys (and other secrets) as environmental variables using jitsu env command. Then use process.env to grab these variables within your node.js app.

answered Apr 24 '12 at 08:08

booyaa

4,437
2
26
32

Keeping API keys and access details for the database secure

2 Answers2

Related