保持数据库的API密钥和访问详细信息的安全 [英] Keeping API keys and access details for the database secure

问题描述

保持API密钥和数据库访问详细信息安全的最佳实践是什么?

What is best practice for keeping API keys and access details for the database secure?

我们将与Nodejitsus jitsu deploy一起部署，因此我的想法是拥有一个不属于git的配置文件.

We will be deploying with Nodejitsus jitsu deploy so my thought is to have a config file that will not be part of git.

我们将拥有.gitignore'd的当前配置文件

Our current config file which I will have .gitignore'd

module.exports = (app) ->

    app.configure 'development', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'xxx'
                client_secret: 'xxx'
                redirect_uri: 'http://127.0.0.1:3000/account/auth/foursquare/done'

        return

    app.configure 'production', ->

        global.config = 
            dbUrl: 'mongodb://username:password@host:port/closet'
            foursquare:
                client_id: 'yyy'
                client_secret: 'yyy'
                redirect_uri: 'http://example.com/account/auth/foursquare/done'

        return


    return

推荐答案

通常，我要做的是将配置存储在config.json中，将其添加到我的.gitignore中，然后包括一个.npmignore，这样npm不会不要使用.gitignore决定要捆绑的商品.这样，git不会添加config.json，而jitsu会在部署时将其捆绑.

Usually what I do is store my configuration in a config.json, add it to my .gitignore, and then include a .npmignore so that npm doesn't use the .gitignore to decide what to bundle. That way, git doesn't add the config.json yet jitsu bundles it on deploy.

env变量也将起作用.

env variables, as booyaa suggested, will also work.

这篇关于保持数据库的API密钥和访问详细信息的安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！