[security] Secret should not be stored in environment variables #50
Comments
|
Using env variables is still the way things work on all PaaS platforms though. |
|
Maybe solve it by referencing a file in an env variable? |
|
This has been discussed in symfony/recipes#64 too. |
|
And here: symfony/recipes#89 (comment) I'm working on a patch for the DI component, but I've no ETA yet. |
|
@dunglas excellent, great to see someone with leverage push this issue further. 👍 |
|
Closing this one as discussion is now happening on symfony/symfony |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Secrets such as passwords and SSH keys must not be stored in environment variables. Basically, environment variables are often stored (unencrypted) in logs and displayed when an error occurs.
The Docker security team recently published a post explaining why storing secrets in env variables should be avoided: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
They also released a tool to manage secrets.
Flex actually uses environment variables to store secrets (ex: the Doctrine recipe). It should use files or a system similar to the one introduced by Docker instead.
The text was updated successfully, but these errors were encountered: