Edit wiki/hardcoding-secrets-in-code.md — Rookie Mistakes & Gotchas

---
visibility: public-edit
---

# hardcoding secrets in code

*(common gotcha)*

## what happened

you push API keys, passwords, or tokens to a public GitHub repo. bots scrape GitHub for exposed secrets. within minutes, your AWS bill is $5,000, your API key is being used for crypto mining, or your database is wiped.

## why it's a gotcha

it happens to everyone at least once. you're moving fast, you hardcode a key "just for testing," you forget to remove it, you push. even if you delete the commit, the secret is in the git history and can still be found. bots are scanning GitHub continuously — this is not a theoretical risk. bad git habits from [[not-using-version-control|not using version control properly]] compound this.

## the fix

use environment variables or a `.env` file (and add `.env` to `.gitignore`). use a secrets manager for anything production. if you accidentally push a secret, revoke and rotate it immediately — don't just delete the commit. tools like `git-secrets` or GitHub's built-in secret scanning can catch this before it happens. and always [[check-what-you-submit|verify what you're pushing]] before you push it.