Comments (7)
rogusdev
commented on June 15, 2024
2
So, I hear you on your callout. However, seeing as the purpose of this library is to use env vars, and I do not specifically call out secrets, I don't personally know what should be changed about this line. Do you have an alternative in mind?
from dotnet-env.
MrDave1999
commented on June 15, 2024
I would change that line for this one:
When the application is deployed in production, you should not store sensitive data such as passwords, API Key, JWT Secret, etc. in a static .env file, because that data is in plain text. Instead, you should use a secrets manager such as those provided by cloud services like AWS or any other.
from dotnet-env.
rogusdev
commented on June 15, 2024
I would rather change it to simply add an extra blurb:
When the application is deployed into production, actual env vars should be used, not a static .env file! Also remember that secrets might be best accessed from a secrets manager or config service rather than env vars, to avoid exposing those secrets to other processes on the machine.
How would that work for you? @MrDave1999
from dotnet-env.
MrDave1999
commented on June 15, 2024
When the application is deployed into production,
actual env vars should be useduse not a static .env file!AlsoRemember that secrets might be best accessed from a secrets manager or config service rather than env vars, to avoid exposing those secrets to other processes on the machine.
I think it is no longer necessary to recommend the use of actual env vars.
What do you think? @rogusdev
from dotnet-env.
rogusdev
commented on June 15, 2024
Plenty of apps can, do, and should use env vars in prod. This is still a well recommended best practice, such as:
https://12factor.net/config
I'm not inclined to make the changes you are suggesting. I would be willing to add the secrets sentence I suggested if that would suffice for you
from dotnet-env.
MrDave1999
commented on June 15, 2024
Using actual env vars is not bad, the problem is that env vars should not be used to store secret data, are we aware of that? I think so. That's why I tell you that using actual env vars is not a recommended practice for storing secrets.
The third principle of the 12-factor methodology does not mention at any time that env vars should be used to store secret data. In order not to complicate things and make this issue longer, just make the change you propose from the beginning.
After this paragraph:
When the application is deployed into production, actual env vars should be used, not a static .env file!
Add this:
For added security, use a secrets manager to keep sensitive data safe.
Done, all happy and prosperous Christmas :)
from dotnet-env.
rogusdev
commented on June 15, 2024
I've thought about it, and I am not inclined to say anything about secrets. This is a library for .env files. What people put in env vars is outside the scope of this library. I just wanted to emphasize that a .env file and env vars should be kept separate between dev and prod, and I feel that is covered.
from dotnet-env.
Related Issues (20)
- Not compatible with Kubernetes .env HOT 3
- Failure to parse on $ HOT 2
- Not installing on .NET 4.5.2 HOT 3
- Is there support for hierarchical settings? HOT 2
- how to use .env file in production? HOT 1
- Fails to parse when environment file has dash (-) HOT 9
- Not Able to read env variables for project type .NET Framework 4.7.2 HOT 2
- Creating a IConfigurationBuilder method extension for environment variables HOT 5
- Env file not loading HOT 3
- Vulnerability issue v2.3.0 HOT 1
- Environment variables for .NET Framework 4.7.2 set on a run basis rather than on a project root folder basis HOT 7
- Suggestion: Defaults Are Unexpected
- Add readme to nuget package HOT 1
- 2.4.0 Doesn't Work - Fails to Load .env HOT 19
- Encryption HOT 1
- Transitive Dependency System.Net.Http 4.3.0 contains vulnerabilities according to Checkmarx HOT 3
- Denial of Service (DoS) - v2.5.0 HOT 1
- Loading Configuration from File - Parsed it to an object HOT 3
- Interpolation stops working with `SetEnvVars == false` HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotnet-env.