Building software projects involves managing various services and environment-specific variables, often necessitating secure storage of sensitive data such as databases and cloud service credentials
One common mistake developers make is storing these credentials directly in the source code, a practice that can lead to severe consequences if the code repository becomes public.
A developer has made this mistake since the repository was private. But all of a sudden the company decided to make the repo open source. Now due to negligence, they forgot to remove the credentials for connecting to db.
This gave access to the source code to the entire community, which was a blunder. So to avoid such scenarios first and foremost thing we need to do is to move these out of the source code.
Explore the .Env Way of Doing Things in Node JS.
During the development of Node.js applications, we leverage the .env file feature, specifically designed for handling environment-specific variables.
These variables encompass a wide range, from database connection credentials to object storage URLs and confidential secrets. Typically, sensitive information is securely stored within this file. Additionally, if there are specific environment-bound URLs, they can be conveniently managed within a constant file.
The .env files encapsulate essential data vital for the application’s functionality. Despite their dynamic nature, these files are shared among team members without being pushed to public repositories such as Github or Bitbucket, ensuring critical information security.
Meanwhile, if you are still new or unaware of the repository, here is a good guide.
# Sample .env file for Node.js
# Application configuration
NODE_ENV=development
PORT=3000
# Database configuration
DB_HOST=localhost
DB_PORT=5432
DB_NAME=mydatabase
DB_USER=myuser
DB_PASSWORD=mypassword
# API keys and secrets
API_KEY=your_api_key
SECRET_KEY=your_secret_key
# Logging
LOG_LEVEL=info
# Other settings
DEBUG=true
ENABLE_FEATURE_X=false
- NODE_ENV: specifies the environment mode (development, production, etc.).
- PORT : Port sets the port on which your application will listen.
- DB_HOST, DB_PORT, DB_NAME, DB_USER, and DB_PASSWORD are used for configuring your database connection.
- API_KEY and SECRET_KEY are placeholders for API keys or secrets used in your application.
- LOG_LEVEL sets the logging level for your application.
- DEBUG and ENABLE_FEATURE_X are example boolean flags for feature toggles or debugging.
We have a dotenv node package that helps access the environment file variables. We need to install and import the package and post that using the following command so we will have access to the entire variables.
process.env
Using Multiple Environments to Improve Your Development Workflow
- We can maintain multiple environments by creating separate .env files for each environment you need, such as .env.development, .env.staging, and .env.production. We need to put the environment variables relevant to that environment.
.env.dev (environment file for dev)
# API keys and secrets
API_KEY=staging_your_api_key
SECRET_KEY=staging_your_secret_key
.env.staging (environment file for staging)
# API keys and secrets
API_KEY=staging_your_api_key
SECRET_KEY=staging_your_secret_key
.env.production (environment file for production)
# API keys and secrets
API_KEY=production_your_api_key
SECRET_KEY=production_your_secret_key
Set an environment variable like NODE_ENV indicate the current environment and load the corresponding .env file based on that variable.
The Disadvantage of Inserting Secrets in Code
While it is advisable to store secrets in environment files, developers occasionally make the mistake of embedding them directly into the code. This practice poses significant risks, especially when sharing source code with other teams.
Typically, repositories are kept private or have limited access to a specific group of developers. However, if a new team member requests the code and the source code is inadvertently shared without removing the secrets, it can lead to the inadvertent exposure of crucial data.
Considering Secrets Management Tools/Services
Employing a reliable secrets management tool or service to store sensitive data, such as API keys securely, is highly recommended, particularly in production environments. Many cloud providers, including AWS Secrets Manager and HashiCorp Vault, offer dedicated solutions.
HashiCorp Vault is a widely acclaimed team choice due to its robust features. This tool not only aids in safeguarding sensitive information but also provides a unified interface for managing various types of secrets.
With HashiCorp Vault, you benefit from stringent access controls, ensuring only authorized personnel can access critical data. The tool also maintains comprehensive audit trails, enabling detailed tracking of activities.
Furthermore, it offers essential features like data encryption, dynamic secrets generation, and robust auditing and logging capabilities, ensuring high availability and bolstering your overall security infrastructure.
About Node-Vault
Node Vault is a npm package that helps integrate HashiVault with your Node Js applications.
To install any module into your node js application, the simplest way is to use npm install.
Here’s the command to install the node vault SDK into your application:
npm install node-vault
After installing, you need to import and start using the application.
The coding part of node-vault will be added in another article, which will be shared soon.
The Benefit of Node-Vault
Utilizing Node-Vault has numerous benefits, making it an indispensable asset for developers. As the official SDK endorsed by HashiCorp, Node-Vault ensures exceptional maintenance, promising reliability, and longevity in its support.
One of Node-Vault’s notable advantages lies in its alignment with best practices and contemporary JavaScript principles. It seamlessly integrates promises and async/await functionality, enhancing the overall efficiency of your application. Moreover, the library boasts robust error-handling mechanisms, ensuring a smoother and more reliable user experience.
Node-Vault’s ease of use is another standout feature. With comprehensive documentation, navigating through its functionalities becomes straightforward. In upcoming articles, I will delve deeper into its implementation, providing detailed insights and practical solutions.
A significant convenience Node-Vault offers is eliminating the need to alter client IDs or secrets across multiple sections of your codebase. By centralizing credentials management, Node-Vault enables the seamless reuse of the same credentials in both frontend and backend components. This streamlines development and simplifies application management, offering developers a hassle-free experience.
Final Thoughts
So, if we speak everything in a nutshell, the following are the few points that can be accessed.
- Node.js Secrets Management: Managing sensitive information such as API keys and database credentials is crucial during software development. Storing these credentials directly in source code can lead to security risks, especially when repositories are made public accidentally.
- Using .env files: Node.js applications can utilize .env files to store environment-specific variables, keeping secrets secure. These files are dynamic, not shared on public repositories, and accessed using the dotenv Node package. Separate .env files for different environments (development, staging, production) help manage diverse settings.
- Drawbacks of code-based Secrets: Developers occasionally embed secrets directly into the code, posing risks if source code is shared unintentionally. Such mistakes can lead to exposure of sensitive data, emphasizing the importance of proper secrets management practices.
- Using node-vaults for enhanced security: To enhance security, developers can use tools like HashiCorp Vault, with the official SDK Node-Vault facilitating integration with Node.js applications. Node-Vault simplifies secrets management, supports best practices, and ensures consistency in credentials across frontend and backend, streamlining application management.
About The Author
Apoorv Tomar is a software developer and part of Mindroast. You can connect with him on Twitter and Telegram. Subscribe to the newsletter for the latest curated content. Don’t hesitate to say ‘Hi’ on any platform and state where you found my profile.
Better Way To Manage Your Node.js Secrets, Technically was originally published in Better Programming on Medium, where people are continuing the conversation by highlighting and responding to this story.