13
Stop hardcoding your API keys in JavaScript files if you don't want your account drained
I saw a post on Reddit yesterday where a guy showed his weather app project and someone pointed out his Stripe secret key was just sitting there in plain text. Two hours later his account got hit for $400 in test charges. I almost did the same thing when I started messing with React last month, but a buddy caught it. Use environment variables or dotenv, it takes two minutes to set up. Has anyone else nearly learned this the hard way?
2 comments
Log in to join the discussion
Log In2 Comments
ryanh776d ago
Nelson.gavin is rolling the dice and doesn't even realize it. The problem isn't just about traffic or how popular your project is, it's about automated bots that scrape GitHub repos specifically looking for exposed keys. Your little weather app doesn't need to be famous, someone's script will find it if you push that code to a public repo. Those $400 in test charges could just as easily hit someone with a $5 API credit balance, but the principle is the same, you're handing over the keys to your account for no reason. Environment variables are so dead simple that there's really no excuse not to use them, even for the most obscure hobby project. One bad day and that "nothing will happen" attitude turns into a headache you could have avoided in two minutes.
8
nelson.gavin6d ago
I mean, is it really that serious though? You see these horror stories online but for every guy who gets his account drained there's probably a hundred people who did exactly this and nothing happened. I've had API keys sitting in plain JS files for small hobby projects for years and never had an issue (though to be fair, my stuff is so obscure nobody would bother). The Stripe thing sounds scary but come on, that guy must have had some serious traffic or posted it on a huge subreddit for someone to notice and actually exploit it. I feel like if you're just messing around with a little weather app for your portfolio the chances are basically zero.
3