Is it safe to make source code containing an API key publically available?-CodePudding

So, I was building a personal software project (to build my portfolio) with the intention of making it publically available on a git hosting provider. This project consumes a public API which required an API key, acquired through my user account on an API hub. The API key was free, so it's not a matter of financial costs.

But is it safe to make source code containing API keys publically available for others to use or see, such as on Git hosting providers (example GitHub)?

If no, how can I redact the API key from git commits, since it was committed and pushed along with the source code? Is there an alternative way other than removing the API key from the source code prior to git commits? I also would like to know how to redact API keys from git commits, in case I use API keys which cost money...

I was just thinking about issues since the API key is linked with my account, and what potential repurcusions there could be should someone with malicious intent interact with the API using my API key.

CodePudding user response：

Remove it from your git history, for example github has a tutorial to accomplish this: Github - removing sensitive data with a tool called BFG Repo-Cleaner (it is faster and easier than doing that with git filter-branch) Also don't forget to change your API key after you removed it from your repo.

To replace all text listed in passwords.txt wherever it can be found in your repository's history, run: bfg --replace-text passwords.txt

Don't forget to run in the end: git push --force

CodePudding user response：

Your first step is to code in a way to have the API key separate from the committed code, for instance in a config file which is listed in .gitignore, so that neither you nor any other user of the code repeats this mistake.

Then, either rewrite your git history as mentioned in C1sc0's answer, or simply ensure that the leaked secret is no longer useful. In this case, go to the API in question, and find an option to invalidate the API key and generate a new one.

This is something you should routinely be doing anyway, in case it has leaked without you noticing, just as you should regularly change passwords. Many APIs have expiry dates on API keys to force you to do so.