-2

I understand that credential leakage occurs reasonably often due to people forgetting to .gitignore a .env file

I'm building an application in VueJS and right now I'm storing some S3 credentials as environment variables in order to retrieve and access some data in the site.

Is there any way that this can expose credentials to an end user of the application? I've searched for any info I can but all I'm finding is articles about accidentally publishing .env files which is a risk I'm less concerned about here.

Pierre Baudin
  • 97
  • 1

1 Answers1

1

Credentials in configuration files are typically secured in one of two ways:

  1. As encrypted text, which the application must decrypt in order to use.

  2. As a deployment-time variable which replaces a pre-existing property in the configuration file.

Both options should be secured additionally by restricting who can log in to the servers and view items in the file system. Each application and service should be given the minimal permissions and file system access to do its job.

All of this implies server-side management of these credentials. If a client side application requires credentials, you would typically use something like OpenID Connect and JSON Web Tokens to pass ephemeral credentials back to the user after they log in.

Configuration files should be kept out of the public/servable directories for a web server. You should not be allowed to request http://example.com/production.env and get the file. This can be accomplished using web server configuration such that the application has rights to read the config file, but the web server will not map a URL to the file on disk.

There is no single way to secure credentials. It requires an understanding of how web servers work, how HTTP works, the security risks involved with web browser-based applications, and how to configure deployment scripts or pipelines to store sensitive credentials.

Greg Burghardt
  • 34,276
  • 8
  • 63
  • 114