← Lessons

quiz vs the machine

Gold1400

Security

Secrets Management

Keeping API keys, tokens, and passwords out of code and under control.

5 min read · core · beat Gold to climb

The Risk

Secrets like API keys, database passwords, and tokens grant access to systems. Hardcoding them in source or committing them to version control leaks them to anyone with repository access and to backups forever.

Better Practices

  • Store secrets in a dedicated secrets manager or vault, not in code.
  • Inject them at runtime via environment variables or mounted files.
  • Keep them out of logs, error messages, and client side bundles.
  • Use least privilege scopes so each secret unlocks only what it must.

Rotation And Detection

  • Rotate secrets regularly and immediately after any suspected exposure.
  • Scan commits and CI logs with secret scanning tools to catch leaks early.
  • Maintain an audit trail of who accessed which secret and when.

Key idea

Secrets must live in a managed vault and be injected at runtime, scoped tightly, scanned for leaks, and rotated rather than committed to code.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is committing a secret to version control dangerous?

2. What should you do after a secret is suspected to be exposed?