I store my secrets (API key, password...) as plain text in my config files, and push it into a private repository in GitLab. It is not a best practice, I know, but I think it's quite hard to read these information.
Unfortunately, some of my secrets are leaked lately. My questions are:
Can config files in nodejs express be hacked? I tried to navigate to config folder in web browser but get the 404 error.
How to secure config files in nodejs? I did a research and found 2 major solutions: to use environment variables and to encrypt/decrypt config files. Using environment variables seems to be easy to implement but in case of having a lot variables, this method is quite inconvenient. Is there any other solution? Which npm package is good for securing config files?
Yes, even Gitlab private repos are not secure. And the solution is to create a .env file in the root directory and put it in git ignore. And share .env file securely though ssh.
Related
I would like to share my NodeRed Code in Github as part of an IOT project, however I would like to keep some of my data private (wifi password, database password, etc).
I could manually erase this information, but this would not be very practical, since I would have to do it every time I update the file.
In my python scripts I use os.environ.get to save my passwords and upload to GitHub securely.
¿Is there some way to set up Node-Red to easily push to GitHub without revealing sensitive information?
Node properties can be pulled from environment variables using the ${} syntax. This is implemented by the runtime so should work in all nodes. If the node uses the typed input widget then they should also support environment variables directly.
Details are in the documentation here: https://nodered.org/docs/user-guide/environment-variables
Secondly any node options that are explicitly tagged as credentials are stored in a separate encrypted file _creds.json. By default this is encrypted in a randomly generated key on first run and stored in a hidden file in the userDir, but you can set your own key in the settings.js file.
If you use the Projects feature to store your flows in a git repository then you will be prompted for the encryption key needed as part of setting up the project or when you check it out. Documentation for projects is here:
https://nodered.org/docs/user-guide/projects/
I am using mongoose with MongoDB in a NodeJS application. Right now, in development, I have a configuration (.env) file which stores sensitive information my code needs to run. For example, the MongoDB password & URL, emails & passwords needed to email using the code, etc.
When I put it into production, it would obviously be wrong to upload this configuration file anywhere on the cloud, given the information in it. How can I make it so my production code, hosted somewhere such as Heroku, can access these needed variables without letting undue access to them?
Thanks in advance!
You are right, pushing your env file to production is pretty bad from a security perspective.
The way you would go with storing your environmental variables differs between cloud platforms, but essentially you should get a secure way of adding them through either an user interface or through terminal (You usually find these information easily by looking into your provider documentation).
To store them in a project deployed on Heroku, you will need to:
Log to Heroku
Open the newly deployed project
Head over the Settings tab
Find the section named Config Vars
Click on Reveal Vars
Add your variables in there
And you are good to go!
Can someone explain what's benefits of environment variables in Node.js over regular config file?
In my project I have config.js files with DB details, AWS keys, etc. This file is added to .gitignore and never shared on repository, instead there is demo.config.js file with all required parameters filled with fake creditentials, so you can just copy it as config.js and fill it with correct details after fresh install.
This file is "required" in every file when I need credentials in my project and on my development machine this config file is configured with test server details and with actual production server details on production machine.
Lately I read everywhere that everyone should use environment variables to store credentials safely, but I don't see any benefit to doing so in my project.
I'm not saying it's bad and my approach is better, I just want to know what actual benefit (security or otherwise) will I get with environment variables over my setup?
For me it is more like a common standard than anything else. The way how you use config.js is practically the same as using environment variables. But instead of storing the configuration in environment variables, you store it in js file.
The main difference is how you read that config. All mainstream languages I know, will easily allow you to read from environment variables, there is really wide support for it. Reading from config files brings additional complexity as you need to know the structure of that file, how to parse etc. In some languages (maybe node.js) it is probably easy to read from js file, but in others it could be difficult task.
That's why using environment variables is just a common standard and language agnostic. You can even read it in bash scripts etc.
Edit: adding reference to The Twelve-Factor App, the Config section is particularly connected with above question:
https://www.12factor.net/config
One benefits i see when you are using docker for local development and kubernetes or any container orchestration for SIT/UAT etc where config setting is there . In local development we keep all env variable required and move the same on container based system
By using dotenv I can ignore development .env file before pushing it to the git repository, it comply with The Twelve-Factor App config factor. It prevent configuration from exposing to others especially open source project.
But I am stuck when deploying it to the production, either using cloud deployment or using docker.
How can I include this file? Should I save the file into Vault or something?
Please help me to understand how can I secure my deployment environment.
You don't. The server environment (docker or otherwise) needs to be configured with its own environment variables, not the development ones. Any that will be the same in both you configure as default values for the application so that they have that value even if the variable isn't set.
You can use a file transfer protocol such as filezilla or cyberduck and transfer the file to your production server environment. Make sure the .env file you send to your server contains the credentials for the production database and not the development one and so on. You could alternatively just add environment variables to your remote server's .env or .bashrc file, but this is probably not advisable compared to a .env file. As long as no one but you has access to the remote server (docker, heroku, aws, etc) your credentials should be secure. Never share your .pem files.
I'm quite new at Node and Git, I've been working on this repository for a couple of days and I'm not sure how to make it work. It tells me to configure some vars but I don't quite understand how to. Which file should have the actual LOGIN, PASSWORD, SLACK, etc.(Or should I just type them in the terminal)? What should I be typing in the Node Terminal?
Neither am I sure how to run the github files since every time I call it in the terminal it types "No local config found" or "Cannot find module"
I have no clue how to go on, so any help would be REALLY appreciated.
https://github.com/nicolsc/slack-sigfox-last-message
Create a file config.local.js and store the parameters inside. each existing parameter will override the defaults.
the files named config.*.local are also added to .gitignore which self-explain that those kind of files are configuration files.