Keeping API keys and access details for the database secure

What is best practice for keeping API keys and access details for the database secure?

We will be deploying with Nodejitsus jitsu deploy so my thought is to have a config file that will not be part of git.

Our current config file which I will have .gitignore'd

module.exports = (app) ->

    app.configure 'development', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'xxx'
                client_secret: 'xxx'
                redirect_uri: 'http://127.0.0.1:3000/account/auth/foursquare/done'

        return

    app.configure 'production', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'yyy'
                client_secret: 'yyy'
                redirect_uri: 'http://example.com/account/auth/foursquare/done'

        return


    return

Usually what I do is store my configuration in a config.json, add it to my .gitignore, and then include a .npmignore so that npm doesn't use the .gitignore to decide what to bundle. That way, git doesn't add the config.json yet jitsu bundles it on deploy.

env variables, as booyaa suggested, will also work.

You could store the API keys (and other secrets) as environmental variables using jitsu env command. Then use process.env to grab these variables within your node.js app.

来源：https://stackoverflow.com/questions/10282570/keeping-api-keys-and-access-details-for-the-database-secure

标签

git

security

node.js

nodejitsu

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!