Bảo MậtKhông bao giờ commit secrets vào git — dùng env vars cho level 1, Vault/AWS Secrets Manager cho production với dynamic secrets có TTL; Kubernetes secrets là base64 không phải encrypted (dùng Sealed Secrets hoặc External Secrets Operator).
Secrets (API keys, DB passwords, JWT secrets) không bao giờ được nằm trong code hay version control. Layers of secrets management: Environment variables (level 1): inject qua CI/CD, Docker, K8s secrets — không commit .env production lên git; .env.example làm template không có values thật. Secret scanning: GitHub Secret Scanning tự detect leaked secrets trong commits; GitGuardian cho CI; git-secrets pre-commit hook ngăn commit secrets. Vault solutions (level 2): HashiCorp Vault (centralized, dynamic secrets — tạo DB credentials tạm thời cho mỗi deployment, auto-rotate), AWS Secrets Manager (managed, tích hợp với EC2/Lambda/ECS, auto-rotation cho RDS), Azure Key Vault, GCP Secret Manager. Dynamic secrets: Vault tạo DB user+password unique cho mỗi app instance với TTL — compromised secret vô dụng sau khi expire, không cần rotate manually. SOPS (Secrets OPerationS): encrypt secrets files trong git với age/GPG — cho phép secrets-as-code nhưng encrypted. Kubernetes secrets: base64-encoded không phải encrypted — dùng Sealed Secrets (kubeseal) hoặc External Secrets Operator để sync từ Vault/AWS. Rotation policy: rotate secrets sau offboarding team member, sau breach, và proactively mỗi 90 ngày. Lưu ý: log statements in startup console.log('Connecting to', process.env.DATABASE_URL) — log URL thường chứa credentials.
Never commit secrets to git — use env vars for level 1, Vault/AWS Secrets Manager for production with TTL-based dynamic secrets; Kubernetes secrets are base64-encoded, not encrypted (use Sealed Secrets or External Secrets Operator).
Secrets (API keys, DB passwords, JWT secrets) must never live in code or version control. Layers of secrets management: Environment variables (level 1): inject via CI/CD, Docker, K8s secrets — never commit a production .env to git; use .env.example as a template with no real values. Secret scanning: GitHub Secret Scanning auto-detects leaked secrets in commits; GitGuardian in CI; git-secrets pre-commit hook prevents committing secrets. Vault solutions (level 2): HashiCorp Vault (centralized, dynamic secrets — generates temporary DB credentials per deployment, auto-rotates), AWS Secrets Manager (managed, integrates with EC2/Lambda/ECS, auto-rotation for RDS), Azure Key Vault, GCP Secret Manager. Dynamic secrets: Vault creates a unique DB user+password per app instance with a TTL — a compromised secret is useless after it expires, no manual rotation needed. SOPS (Secrets OPerationS): encrypts secret files in git with age/GPG — enables secrets-as-code but encrypted. Kubernetes secrets: base64-encoded, NOT encrypted — use Sealed Secrets (kubeseal) or External Secrets Operator to sync from Vault/AWS. Rotation policy: rotate secrets after team member offboarding, after a breach, and proactively every 90 days. Pitfall: startup log statements like console.log('Connecting to', process.env.DATABASE_URL) — URLs often contain embedded credentials.