Comment by westont5

21 hours ago

I'm not sure I've seen it mentioned yet that when Vercel rolled out their environment variable UI, there was no "sensitive" option https://github.com/vercel/vercel/discussions/4558#discussion.... There was ~2 years or more until it was introduced https://vercel.com/changelog/sensitive-environment-variables...

24 comments

westont5

Reply
nopointttt  17 hours ago

A sensitive flag at the UI layer doesn't actually change runtime. Once it's in process.env during a build, any dep that decides to grep it can. The real problem isn't a missing checkbox, it's that we still stuff every secret into one env bag and hand the build tools the whole bag. Cloudflare scoped bindings and Fly already split it up, other platforms are just slower.

  • miki123211  2 hours ago

    Yes.

    Ideally, your application code shouldn't ever need to see your secrets, those should only be accessible to tiny components that only expose the operations that the app actually needs to do.

    Instead of your app having an OPENAI_API_KEY, there should be some kind of external HTTP proxy that adds this key whenever the right endpoint is called.

    A man can dream though.

_pdp_  21 hours ago

Sensitive does not mean it is not readable. It is just simply not exposed through the UI. It can be easily leaked if you return a bit too much props from the action functions or routes.

The only way to defend against these types of issues is to encrypt your environment with your own keys, with secrets possibly baked into source as there are no other facilities to separate them. An attacker would need to not only read the environments but also download the compiled functions and find the decryption keys.

It is not ideal but it could work as a workaround.

  • harikb  20 hours ago

    > with secrets possibly baked into source

    please don't suggest this. The right way is to have the creds fetched from a vault, which is programmed to release the creds auth-free to your VM (with machine level identify managed by the parent platform)

    This is how Google Secrets or AWS Vaults work.

    • jcgl  20 hours ago

      > The right way is to have the creds fetched from a vault, which is programmed to release the creds auth-free to your VM

      Or have whatever deployment tool that currently populates the env vars instead use the same information to populate files on the filesystem (like mounting creds).

    • chatmasta  19 hours ago

      Next.js renders configuration that’s shared by client and server into a JSON blob in the HTML page. These config variables often come from environment variables. It’s a very common mistake for people to not realize this, and accidentally put what should be a server-only secret into this config. I’ve seen API secrets in HTML source code because of this. The client app doesn’t even use it, but it’s part of the next config so it renders into the page.

      3 replies →

    • _pdp_  20 hours ago

      I was reffering to Vercel. Other cloud environments have much better mechanisms for securing secrets.

    • SoftTalker  20 hours ago

      This is just another layer of indirection (which isn't bad; it adds to the difficulty of executing a breach). The fundamental problem with encrypted secrets is that at some point you need to access and decrypt them.

      8 replies →

  • eecc  8 hours ago

    Looks like how GitLab does it.

    As far as I’m concerned, the only sane way is to dump credentials in a well-known path and let the environment decide what to bind them with at runtime (which is how Kubernetes does it, at least the EKS version I’ve had to work with).

    IOW, JEE variable binding (JNDI) did it right 20 years or so ago.

    It might be worth for architecture designers to look back at that engineering monument (in all its possible meanings, it felt complicated at times) and study its solutions before coming up with a different solution to a problem it solved