DanRz Posted December 26, 2022 Share Posted December 26, 2022 Hey, What is the best way to hide / protect credentials for use in scripts? For example, where would you store database login details, Amazon AWS logins etc so its secure and hidden away from eyes... Thanks Dan Quote Link to comment Share on other sites More sharing options...
maxxd Posted December 26, 2022 Share Posted December 26, 2022 There are several possibilities for this; for instance GitHub has secrets, bitbucket has secrets and variables, AWS has AWS Secrets Manager. I'm sure there are other services out there as well. Quote Link to comment Share on other sites More sharing options...
requinix Posted December 26, 2022 Share Posted December 26, 2022 What are you trying to protect against? Someone reading source code in your repository? Developers themselves knowing how to connect to and read from a production database? Other people on a shared hosting server reading your files? Quote Link to comment Share on other sites More sharing options...
DanRz Posted December 26, 2022 Author Share Posted December 26, 2022 I have a php application I made… Currently I use phpdotenv https://github.com/vlucas/phpdotenv to store my creds in a .env file in the root directory… It works, however twice now the AWS SES creds have been stolen and used to send mass emails… Im not sure how they’re finding the information but they are… so I’m just trying to figure out how to store them better to avoid them getting into the wrong hands… Quote Link to comment Share on other sites More sharing options...
ginerjm Posted December 27, 2022 Share Posted December 27, 2022 Since the root folder is accessible by almost anyone I don't think you want to store anything sensitive in there. Passwords s/b outside of the root which means above it or beside it where one has to use something other than html. Quote Link to comment Share on other sites More sharing options...
Solution kicken Posted December 27, 2022 Solution Share Posted December 27, 2022 1 hour ago, DanRz said: Im not sure how they’re finding the information but they are Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up. If it does, then that's your problem. Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL. If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism. If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code. Quote Link to comment Share on other sites More sharing options...
DanRz Posted December 27, 2022 Author Share Posted December 27, 2022 18 hours ago, kicken said: Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up. If it does, then that's your problem. Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL. If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism. If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code. Thanks so much! I never thought of this bit that indeed was the problem... an oversight I think!! I have now secured it with htaccess so its Forbidden now. Thanks for your help! Quote Link to comment Share on other sites More sharing options...
ginerjm Posted December 27, 2022 Share Posted December 27, 2022 The easy was was to move it to a folder outside of the root. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.