Cybersecurity In-Depth

The Edge

How Do I Protect My API Keys From Appearing in Search Results?

A few lines of code can help you prevent accidental exposure, manage sensitive information, and maintain different configurations for various environments.

Question: How do I keep my API keys from becoming part of someone else's GitHub search?

Answer: Storing API keys directly in your code is generally not recommended due to the potential security risks. If your code is ever shared or becomes publicly accessible, anyone who sees the API key can use it, potentially leading to abuse or a security breach.

Here are several ways to store API keys securely:

  • Environment variables: You can store API keys in environment variables on your machine and then access these variables from your code. This method has the advantage of keeping the keys out of your code. (They are in the environment where the code runs.) It also means that the keys can be different for different environments, such as your local machine, a development server, a production server, etc.
  • Configuration files: You can also store API keys in a separate configuration file that is not included in your code repository. This file should be added to your .gitignore file to prevent it from being committed to your repository. Be sure to add appropriate file-level permissions to this configuration file to prevent unauthorized access. In your code, you would read the API keys from this file.
  • Secrets management systems: For larger applications or more sensitive data, you might consider using a secrets management system. These are specialized tools, such as AWS Secrets Manager, HashiCorp's Vault, and Google's Secret Manager, that help manage access to secrets like API keys.
  • Environment-specific configuration services: Platforms like Heroku and Netlify have specific features or services for setting environment variables, which can be used to store API keys.
  • Encrypted storage: If you need to store the API keys in a database or other storage system, you should encrypt them. This way, even if someone gains access to the storage system, they won't be able to use the keys without the encryption key.

Let's take a look at how to implement the first two, the lowest-overhead of these solutions, in secure coding. I've used Python as the example language for this, though any language will have similar concepts. The advantage of Python is its simplicity and ease of use, which together with its formidable data-handling capabilities make it ideal for most uses.

To Use Environment Variables for Storing API Keys

Environment variables allow you to store sensitive information, such as API keys, outside of your source code. They are accessible to the application during runtime and can be easily configured on different environments (e.g., development, staging, and production).

First, set the environment variable in your system or the platform where your application is running. In a Unix-based system, you can set an environment variable using the export command:

% export API_KEY=<your_api_key>

Next, access the environment variable in your application's code. For example, in Python, you can access the value of an environment variable using the os module:

% python import os api_key = os.environ['API_KEY']

To Use External Configuration Files for Storing API Keys

Another way for the beginning developer or data scientist to store API keys is via external configuration files. These can be very useful; however, you should exclude them from the repository using .gitignore or the equivalent.

First, create a configuration file, such as config.json, and store the API key in it:

json { "api_key": "<your_api_key>" }

Next, add the configuration file to your project's .gitignore (or equivalent) to ensure it's not tracked by your version control system.

Finally, load the configuration file in your application's code to access the API key. For example, in Python, you can load a JSON configuration file and access the API key like this:

import json with open('config.json') as f
config = load(f) api_key = config['api_key']

Lock Up Your APIs

By using either environment variables or external configuration files, you can better protect your API keys from accidental exposure, simplify management of sensitive information, and make it easier to maintain different configurations for various environments. You should enforce proper access controls on the environment variables and configuration files to prevent unauthorized access.

As your project grows in complexity (and importance), it may be advisable to move to platforms with innate capability, such as secrets management systems or environment-specific configuration services, for storing sensitive items. However, these quick solutions help you start off on a more secure footing.