I am using Heroku to host my web server. Is my source code there available or open to others as there are some private information in my source codes? If it is, how can I prevent that? I looked at some questions before, but it wasn't clear.
Your code pushed to Heroku stays private, however it is a bad idea to store sensitive data (tokens, passwords, IDs) in the source code.
Heroku best practises is to use Config Var to define secrets, these are injected into your application at runtime as environment variables (which you can access programatically - depending which language you use)
Related
I have a webapp, with all my configurations defined in a file which includes, passwords, secrets and other configs. What is a secure and easy way to provide these settings when deploying to App Engine?
I have 2 files: config.dev.yaml and config.prod.yaml.
Solutions that I found:
google cloud key manager (GKM) however i think this solution seems expensive, and complex to implement.
put secrets in app.yaml as environment variables. A lot of people said that this is not secure?
include config file in deployment with source code. also people say this is a bad idea.
solution I'm thinking about that I'm not sure if it will work:
store all my config in the Firestore, and pull them at a build time?
I spent all day looking for answer to this, nobody seems to have a "standard" simple solution.
Secrets need to be kept secret. Therefore, putting the secrets in plain text either in environment variable or in a config file is not a good idea. And in both case, you will commit the files in the repositories, which is also ugly.
So, you need to keep the secrets secret until you need to use them.
You can use KMS and manage yourself your encryption/decryption. But it's not very funny to do and there is a lot of extra code to implement. At the end, you store only encrypted version of your secret
You can use Secret manager. You store only a secret reference and a simple API call allows you to get the secrets. And you store only the secret manager references in your files.
The main issue with these secure solutions is if you have framework or library that autoload values from configuration automatically. Therefore, you have to implement a hook at the application startup to convert the values from secret form to plain text, and then continue the normal loading.
If you share your language, I could have answers.
I'm currently doing a audit of some Safe Exam Browser features as part of my master thesis, and I started looking into the browser request hash that is used to ensure that people use the safe exam browser in the LMS our university has opted for. As an attempt I just created my own SEB config file (on my mac), and I managed to compute the correct browser request hash from the key I got from said config file. If I re-open the same file in the SEB config editor it still presents me with the same hash (so I can get it again later).
However, the SEB config file I got from the LMS system we use, when I open that and copy the config key, I am unable to generate the correct browser request hashes (using the same code). Does this has to do with OSX vs Windows somehow? Or is there some other mechanism that I don't know about?
Originally asked at the Safe Exam Browser forums.
We're currently evaluating Heroku to replace the initial workflow of renting a VPS for a small Web App (since we're working on NodeJS, cPanel hosting plans aren't enough, ergo, VPS).
The confusion lies in Heroku's actual usage as even though it's clear it's used as a platform as a service, there is no Disk (HDD/SSD) limit described.
Web App requirement includes file upload capabilities (profile picture, etc) so I'm not sure Heroku is what we need. Can I get a clear explanation on this?
Not a Heroku expert, but...
You could always use one of the various add-ins that offer database support for storing your images until that no longer works
As the usage of your site scales out, you'd probably want to place static content into a CDN.
I wouldn't consider placing files into Heroku that weren't related to running code and honestly I don't even know if you can.
(I originally just wanted to comment, but need a higher rep :/)
Currently using a setup that follows: Backbone, Parse, Require, and Marionette.
I've found through my application that I often need to reuse objects I've already pulled down from Parse.
Parse already does this through Parse.User.current(), However it would be great to store other entities locally rather than retrieving them over and over again.
Does anyone have any suggestions in terms of good practices or libraries to use for caching these objects locally or would having global variables that hold the information while the application runs be enough?
The Parse JavaScript SDK is open source, so you could look at the implementation of Parse.User.current and Parse.User._saveCurrentUser. Maybe you could do something similar. http://www.parsecdn.com/js/parse-1.1.11.js
While running on Heroku, I would like to be able to put key information via, say, puts or other such statement, to write to a log file.
But Heroku doesn't allow writing to a file, so what is a way to do this easily?
Heroku recommends that you use an external service like Hoptoad or Get Exceptional.
Anything you do would have to be done by interaction with the database, or via an HTTP interaction with an outside app. Those are the only ways to persist information as the platform stands right now. Personally if I had to have logging and Hoptoad (et. al.) wouldn't work, I'd log to the db. That's not a great way of doing things though.