Edit in StackBlitz next generation editor ⚡️
This project handles potentially sensitive information, such as API keys and access tokens. To prevent accidental exposure of this data, please adhere to the following process before committing and pushing changes:
-
Environment Variables (
.env):- All sensitive keys, tokens, or environment-specific configurations (e.g., Mapbox Access Token, database credentials, private API keys) MUST be stored in a
.envfile at the project root. - A
.env.examplefile MUST be maintained in the repository. This file should list all required environment variables with placeholder or example values, but NEVER real credentials. - The
.gitignorefile is configured to EXCLUDE all.envand.env.*files (except.env.example) from being tracked by Git.
- All sensitive keys, tokens, or environment-specific configurations (e.g., Mapbox Access Token, database credentials, private API keys) MUST be stored in a
-
Pre-Commit/Pre-Push Checks:
- Review Changes: Before committing, use
git diff --staged(aftergit add) or your IDE's diff view to review all changes being committed. Pay close attention to any configuration files or areas where sensitive data might have been temporarily hardcoded. - Check
.gitignore: Ensure your.gitignoreis up-to-date and correctly excludes all necessary files and directories (e.g.,node_modules/,dist/,.env*). - No Hardcoded Secrets: NEVER hardcode API keys, tokens, passwords, or other sensitive credentials directly into source code files (
.ts,.tsx,.js,.html, etc.). Always use environment variables accessed viaimport.meta.env.VITE_YOUR_VARIABLE_NAME(for Vite projects) or the equivalent for your backend. - Verify No Secrets in Staging: Before pushing, especially to a new or public repository, it's a good idea to do a quick search for common secret patterns in your codebase if you're unsure. (e.g.,
grep -i "token\|key\|secret\|password" -r src/). This is an extra precaution.
- Review Changes: Before committing, use
-
If a Secret is Accidentally Committed:
- If you accidentally commit and push sensitive data, IMMEDIATELY invalidate the exposed credential (e.g., revoke the API key, change the password).
- Then, remove the sensitive data from your Git history. This is a more complex process and typically involves tools like
git filter-repoor BFG Repo-Cleaner. Refer to GitHub's documentation on Removing sensitive data from a repository. - Changing the commit history is a destructive operation. Proceed with caution and ensure you have backups if necessary.
By following these steps, we aim to keep sensitive data secure and out of the project's version history.