1

I am planning to deploy an app that uses a few api keys on Heroku. I was planning on using there git deployment method. I have a few api keys on the application that could create problems if they were to be compromised.

Is it safe to deploy an app like that through Heroku? Should I use their dropbox method instead?

Any insight or feedback would be appreciated. Thank you in advance!

Improve this question

1 Answer 1

Reset to default
1

As long as you trust Heroku, is shouldn't make a difference which deployment method you use. However, make sure you don't keep your secrets (like API keys, tokens, and passwords) directly in your code. You could use environment variables instead. You can assign values to environment variables either using Heroku dashboard or their command line interface.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

You can also keep API keys in the properties file in encrypted way, for example property=ENC(s242s==) When it is loading, decrypt it and pass where it is needed.
You'd still have to keep a secret somewhere to decrypt the value, and that shouldn't be stored in the repo for the same reasons. Use ENV variables, never commit them to your repository. Part of of the dev ops task of provisioning any new instance should be to include the necessary keys for your application, and changing or rolling those creds for any reason shouldn't ever require your code to change. Code = plumbing (repo) / Config = where you put the plumbing (dev ops) / Data = what's running through the pipes (persistence, database, etc)