HACKER Q&A
📣 humility

How do you manage app secrets?


In a web application, there are so many secrets to be managed - db passwords, jwt secrets, session secrets, etc.. what's a good strategy to manage them? I don't imagine committing them to version control is a good idea?

  👤 jeremija Accepted Answer ✓
I usually have a base config file that's committed and serves as an example or for developing with local services that I (or any other dev) can run easily via docker compose. Additionally, any setting can be overridden with an appropriate environment variable.

For test/production environments I have a separate config file that is not committed to the repository.

Continuous integration tools like GitLab CI, Drone CI, and I believe Travis CI have support for application secrets so that can be used for automated deployment. Alternatively, these config files can live on the servers.

Some automation tools like Ansible have the ability to encrypt the secrets so they can be pushed to the repository, but I've never done it. Docker swarm also has support for defining secrets, and I'm sure Kubernetes does too.