What are some best practices and recommendations on how to store and protect API keys?
Store API keys / secrets safely
- Do not embed API keys / secrets directly in code.
- Do not store API keys / secrets in files inside your application, including the application’s source tree
- If you do accidentally commit an API key / secrets to version control, revoke it immediately and generate a new one.
- Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.
- Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.
- Put the configuration file containing the API keys / secrets in the revision control ignore (ex. .gitignore). This prevents committing them by mistake in the future.
Limit the usage of API keys / secrets
- Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and mobile apps that need them.
- Don't share your API keys / secrets with different applications. If more than one application uses the same API, register each application to get a new set of API keys / secrets.
Update API keys / secrets
- Delete unneeded API keys / secrets.
- Update (Regenerate) your API keys / secrets periodically.
- Best practices for securely using API keys: https://support.google.com/cloud/answer/6310037?hl=en
- REST Security Cheat Sheet - OWASP: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet