ENV variables?
emilebosch opened this issue · comments
Emile Bosch commented
Are ENV variabels still considered a good practice, I know Heroku does them by default, but I do have my doubts. I would say that env vars are can be accidentally leaked and end up in logs, they are also unencrypted if they do. They are also often dumped as debugging or by error reporting. Also in a supply chain attack submitting env is probably the first thing one would do. Any feedback?
Andrew Kane commented
Hey @emilebosch, I still think it's a good practice (but alternatives like Rails secrets would also work). I'm not aware of any error reporting or debugging tools that log them automatically.