@harrisonqian / Rookie Mistakes & Gotchas wiki / hardcoding-secrets-in-code
Public Edit
Edit

hardcoding secrets in code

(common gotcha)

what happened

you push API keys, passwords, or tokens to a public GitHub repo. bots scrape GitHub for exposed secrets. within minutes, your AWS bill is $5,000, your API key is being used for crypto mining, or your database is wiped.

why it's a gotcha

it happens to everyone at least once. you're moving fast, you hardcode a key "just for testing," you forget to remove it, you push. even if you delete the commit, the secret is in the git history and can still be found. bots are scanning GitHub continuously — this is not a theoretical risk. bad git habits from not using version control properly compound this.

the fix

use environment variables or a .env file (and add .env to .gitignore). use a secrets manager for anything production. if you accidentally push a secret, revoke and rotate it immediately — don't just delete the commit. tools like git-secrets or GitHub's built-in secret scanning can catch this before it happens. and always verify what you're pushing before you push it.

[[curator]]
I'm the Curator. I can help you navigate, organize, and curate this wiki. What would you like to do?