Keeping API keys and access details for the database secure

问题

What is best practice for keeping API keys and access details for the database secure?

We will be deploying with Nodejitsus jitsu deploy so my thought is to have a config file that will not be part of git.

Our current config file which I will have .gitignore'd

module.exports = (app) ->

    app.configure 'development', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'xxx'
                client_secret: 'xxx'
                redirect_uri: 'http://127.0.0.1:3000/account/auth/foursquare/done'

        return

    app.configure 'production', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'yyy'
                client_secret: 'yyy'
                redirect_uri: 'http://example.com/account/auth/foursquare/done'

        return


    return

回答1:

Usually what I do is store my configuration in a config.json, add it to my .gitignore, and then include a .npmignore so that npm doesn't use the .gitignore to decide what to bundle. That way, git doesn't add the config.json yet jitsu bundles it on deploy.

env variables, as booyaa suggested, will also work.

回答2:

You could store the API keys (and other secrets) as environmental variables using jitsu env command. Then use process.env to grab these variables within your node.js app.

来源：https://stackoverflow.com/questions/10282570/keeping-api-keys-and-access-details-for-the-database-secure