Secure Configuration andSecrets Management Explained
Most breaches are not clever. They come from a forgotten default password, a secret key pushed to a public repository, or a debug page left switched on. These are configuration mistakes, and they are very common because settings live in many places and are easy to overlook. This guide gives you a clear, simple way to think about them. It maps to chapter V13 of the OWASP standard, which you can explore in the ASVS Explorer.
What Is a Secret and Where Do They Leak?
A secret is any value that grants access and must stay private: database passwords, API keys, signing keys, tokens, and encryption keys. Secrets leak in a few predictable places. They get hardcoded into source files. They get committed to git, where they live in the history forever even after you delete them. They get printed into logs. And they get shared over chat and email. The goal of secrets management is to keep these values out of all of those places.
| Where secrets leak | The risk | The fix |
|---|---|---|
| Hardcoded in source | Anyone with the code gets the keys. | Load secrets from the environment or a secret manager at runtime. |
| Committed to git | The secret stays in history even after deletion, and public repos are scanned by bots within minutes. | Never commit secrets. Rotate any that were committed and use a secret scanner in your pipeline. |
| Printed in logs | Log files and log services expose the secret to many people. | Mask sensitive fields before logging. Never log tokens or passwords. |
| Baked into images | A container image or build artifact carries the secret wherever it goes. | Inject secrets at deploy time, not build time. |
How Should You Store Secrets?
The right home for a secret depends on your size and setup, but the ranking is clear. At the least, load secrets from environment variables so they are not in your code. Better, use a dedicated secret manager such as AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, or your platform's built in secret store. A secret manager gives you access control, an audit trail of who read what, and easy rotation. Whatever you choose, add a .env style file to your .gitignore so local secrets never get committed by accident.
// Bad: secret sitting in the code and in git history
const dbPassword = "S3cr3t-prod-2026";
// Good: secret comes from the environment at runtime
const dbPassword = process.env.DB_PASSWORD;
if (!dbPassword) throw new Error("DB_PASSWORD is not set");
Why Does Rotating Secrets Matter?
Rotation means changing a secret on a regular schedule and straight away if you think it leaked. It matters because secrets do leak, and a secret that never changes gives an attacker unlimited time to use it. A secret manager makes rotation far easier because your app reads the current value at runtime instead of having it copied into many places. Plan for rotation from the start, even if you do it rarely, so that changing a key is a routine task and not an emergency.
What Are the Most Common Misconfigurations?
- Debug mode on in production. Debug pages can reveal stack traces, configuration, and secrets. Turn debug off outside development.
- Detailed error messages to users. Show a plain error to the user and keep the technical detail in your server logs. This connects to good server side practices across your app.
- Default accounts and passwords. Remove or change every default login on databases, admin panels, and dashboards.
- Open cloud storage. Storage buckets set to public are a frequent source of large data leaks. Default them to private.
- Old or unpatched dependencies. Out of date libraries carry known holes. Track your dependencies and update them regularly.
Configuration and Secrets Checklist
- 1Keep all secrets out of source code and out of git history.
- 2Load secrets from environment variables or, better, a secret manager.
- 3Add env files and key files to gitignore, and scan commits for secrets.
- 4Rotate secrets on a schedule and immediately after any suspected leak.
- 5Turn off debug mode and detailed error pages in production.
- 6Remove or change all default accounts and passwords.
- 7Default cloud storage and databases to private, not public.
- 8Track dependencies and apply security updates promptly.