Guide

Secrets management for small teams

Where to keep API keys and passwords so they don't end up in a breach report.

Get help with this All resources

A "secret" is anything that grants access: API keys, database passwords, tokens, certificates. Where you put them is one of the biggest factors in whether you get breached. The good news: doing it right is not hard.

The rules

  • Never in code. Secrets committed to a repository — even a private one, even briefly — should be considered exposed.
  • Never in the front-end. Anything in your website's JavaScript is public.
  • Use a real secrets store. Environment variables, a managed secrets manager, or a vault — somewhere designed to hold them.
  • Give each service its own key with the least access it needs, so one leak doesn't hand over everything.
  • Rotate regularly, and immediately if anyone with access leaves or a key may have been exposed.

If a secret leaks

Rotate it first — generate a new one and revoke the old — then investigate. Deleting the file that contained it does nothing; the secret is already out. See our guide on exposed keys.

Not sure how your team is handling secrets today? That's one of the first things we check.

Want us to just handle it?

Send the details to [email protected] or book a call. We'll check it for you and fix what's exposed.

Request an audit Book a 15-min call