After CompSci

Learn Real World Engineering skills through Real World projects

After CompSci Course

Vibe Checks 2: Credentials

You are building out your brand new app. It’s coming to life right before your eyes. It’s going to make you a billion dollars, until one of your API keys gets leaked. Someone takes it because it was either logged to the console or you committed it to git publicly. Here’s how you can avoid that pain from the start.

Scan to see what secrets you have

Run the following prompt to scan your code for API Keys.

Scan the code to see if there are any api or secrets keys stored. Please list out which files they are located in.

Store the api keys inside of a confined space

Can you take any hardcoded api key that you find and put in into a .env file. Ensure that the hardcoded value is referenced by a call to get the api key value from an environment variable. If a .gitignore file is not present configure that to ignore the .env file.

It can be problematic if you reference your API keys in a hard coded manner, that means writing them out directly in your program. The better way to do it is to store the api keys inside of a file called .env. The .env file would look something like this:

export SECRET_API_KEY="superSecretAPIKey"

Then run a this command on Mac or Linux: source .env

This will then allow you to access your environment variables inside of your code without having to spell them out each time and possibly leak them.

Don’t log api keys

One of the ways that people have been getting hurt during vibe coding is to log out the api keys directly. This means that anyone using your app can snag the api keys if the logs are present in your front end. Here’s a prompt to identify where this is happening and remove it.

Please find any api key that is being logged out, list where this is happening and remove the log statement.

Good Practices from the start!

Ask the model to add in something like trufflehog to scan your code for secrets. If used properly this will ensure that you are aware of any API keys or secrets before deploying out to the world.

More Vibe Checks

Vibe Check 1: Budget Helpers and Limits, ensure that you know how much you are spending on AI credits.

More Posts

Leave a comment