Secrets storage and .gitignore

glye · web-flow · commit fe92994030c7 · 2024-12-03T13:46:34.000+01:00
diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -151,7 +151,7 @@ Reduce your attack surface by exposing only what you must.
 `APP_SECRET` needs to be a strong, random, securely stored value.
 
 - Don't use a default value like `ff6dc61a329dc96652bb092ec58981f7` or `ThisTokenIsNotSoSecretChangeIt`.
-- The secret must be secured against unwanted access. Don't commit the value to a version control system.
+- The secret must be secured against unwanted access. Don't commit the value to a version control system. There are several ways of handling it, like with enviroment variables or files like `.env.local`. Files are considered more secure. If you store the secrets in files, make sure to add those files to `.gitignore` or similar, so they will never be committed to version control systems.
 - The secret must be long enough. 32 characters is minimum, longer is better.
 
 !!! tip
