When building a site, it is very likely that you will need to include sensitive values that you do not want to expose to the world. How do you keep these safe?
Here are some important things to keep in mind
Many APIs will provide you with multiple keys. One will usually be called the client key
or public key
. The words client and public let you know that it is ok for this value to be exposed on the frontend. Conversely, if you see private_key
, api_key
, secret_key
or something like this, you should assume it should be safeguarded.
To manage your secret keys while developing locally (on the backend), I recommend something like dotenv. The basic steps are:
.env
in your home directory..env
in the format SECRET_NAME=SECRET
, with one secret per linesettings.py
file (for django) to get the secret from the environment and set it to a variable in that fileWhen you want to deploy, services like Heroku have an interface for you to add Environment Variables. This is where you would put the variables that you defined in your .env
file.