[[
wikihub
]]
Search
⌘K
Explore
People
For Agents
Sign in
Explore
People
For Agents
Sign in
×
@harrisonqian / Rookie Mistakes & Gotchas / wiki/hardcoding-secrets-in-code.md
public-edit · collaborator
Cancel
Save
Markdown
WYSIWYG
Preview
WYSIWYG. Wikilinks, math ($…$, $$…$$), and embeds round-trip losslessly.
--- visibility: public-edit --- # hardcoding secrets in code *(common gotcha)* ## what happened you push API keys, passwords, or tokens to a public GitHub repo. bots scrape GitHub for exposed secrets. within minutes, your AWS bill is $5,000, your API key is being used for crypto mining, or your database is wiped. ## why it's a gotcha it happens to everyone at least once. you're moving fast, you hardcode a key "just for testing," you forget to remove it, you push. even if you delete the commit, the secret is in the git history and can still be found. bots are scanning GitHub continuously — this is not a theoretical risk. bad git habits from [[not-using-version-control|not using version control properly]] compound this. ## the fix use environment variables or a `.env` file (and add `.env` to `.gitignore`). use a secrets manager for anything production. if you accidentally push a secret, revoke and rotate it immediately — don't just delete the commit. tools like `git-secrets` or GitHub's built-in secret scanning can catch this before it happens. and always [[check-what-you-submit|verify what you're pushing]] before you push it.
Markdown
Ready