Secrets Management Deep Dive

Hardcoded secrets are one of the most common — and most dangerous — security mistakes. A single API key committed to a public repository can be exploited within minutes. Proper secrets management isn't optional; it's essential.

Secrets Management Options

Environment variables are the simplest approach. Your application reads credentials from the environment rather than code:

import os

database_url = os.environ.get('DATABASE_URL')
api_key = os.environ.get('STRIPE_API_KEY')

This keeps secrets out of your codebase but requires secure configuration of your deployment environment.

Platform secrets like GitHub Secrets or Railway's environment variables provide encrypted storage integrated with your deployment pipeline. Secrets are injected at runtime and never exposed in logs.

Dedicated secrets managers like HashiCorp Vault, AWS Secrets Manager, or Doppler offer advanced features: automatic rotation, audit logging, fine-grained access control, and dynamic secrets that expire automatically.

Best Practices

Never commit secrets. Add sensitive files to .gitignore and use pre-commit hooks to catch accidental commits:

# Install git-secrets
git secrets --install
git secrets --register-aws  # Catches AWS credentials

# Blocks commits containing secrets
git commit -m "Add feature"
# Error: Possible AWS credentials found

Use different secrets per environment. Development, staging, and production should each have unique credentials. A compromised development key shouldn't affect production.

Apply least privilege. Database credentials should have minimal permissions. An application that only reads data shouldn't have delete access.

Audit access regularly. Know who and what can access each secret. Remove access when it's no longer needed.

Secret Rotation

Secrets should be rotated regularly and immediately after any suspected compromise. A safe rotation process:

Generate the new secret
Update your secrets manager
Deploy your application (it reads the new secret)
Verify everything works
Revoke the old secret

For zero-downtime rotation, your application should accept both old and new secrets briefly during the transition.

Detecting Leaked Secrets

Even with precautions, leaks happen. Detection tools help you respond quickly:

TruffleHog scans your entire git history for secrets that might have been committed and later deleted — they're still in the history.

GitHub secret scanning automatically detects tokens from major providers and can notify you or even revoke them automatically.

When you detect a leak, assume the secret is compromised. Rotate immediately, then investigate how it happened.

See More

Secrets Management Options

Environment variables are the simplest approach. Your application reads credentials from the environment rather than code:

import os

database_url = os.environ.get('DATABASE_URL')
api_key = os.environ.get('STRIPE_API_KEY')

This keeps secrets out of your codebase but requires secure configuration of your deployment environment.

Best Practices

Never commit secrets. Add sensitive files to .gitignore and use pre-commit hooks to catch accidental commits:

# Install git-secrets
git secrets --install
git secrets --register-aws  # Catches AWS credentials

# Blocks commits containing secrets
git commit -m "Add feature"
# Error: Possible AWS credentials found

Use different secrets per environment. Development, staging, and production should each have unique credentials. A compromised development key shouldn't affect production.

Apply least privilege. Database credentials should have minimal permissions. An application that only reads data shouldn't have delete access.

Audit access regularly. Know who and what can access each secret. Remove access when it's no longer needed.

Secret Rotation

Secrets should be rotated regularly and immediately after any suspected compromise. A safe rotation process:

Generate the new secret
Update your secrets manager
Deploy your application (it reads the new secret)
Verify everything works
Revoke the old secret

For zero-downtime rotation, your application should accept both old and new secrets briefly during the transition.

Detecting Leaked Secrets

Even with precautions, leaks happen. Detection tools help you respond quickly:

TruffleHog scans your entire git history for secrets that might have been committed and later deleted — they're still in the history.

GitHub secret scanning automatically detects tokens from major providers and can notify you or even revoke them automatically.

When you detect a leak, assume the secret is compromised. Rotate immediately, then investigate how it happened.

Secrets Management Deep Dive

Secrets Management Options

Best Practices

Secret Rotation

Detecting Leaked Secrets

See More

Further Reading

Secrets Management Options

Best Practices

Secret Rotation

Detecting Leaked Secrets

See More

Further Reading

Secrets Management Options

Best Practices

Secret Rotation

Detecting Leaked Secrets

See More

Further Reading