Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Glad I don't work at your shop then. Environment variables are a terrible way to give your app secure information. There's well over a dozen reasons why you shouldn't do this in your apps, but one super obvious one is there's way to many frameworks that expose environment variables in their debug output if not properly configured. Think you'll never misconfigure a server? Guess again, pretty much every major site (Google, FB, Twitter, Yahoo, EBay, Microsoft, etc) have all done it at some point.


Please review HN's guidelines on civility.


Fair point, I potentially should've left off the first sentence. I stand behind the rest of the post, but the first sentence is a bit on the edge and I apologize.


Alright, well, I've never seen an application/framework spit out environment variables when it was misconfigured. But then again, I barely work with web-related stuff so maybe I just don't use the kind of software that does this. Could you provide some examples?


Many web frameworks do this when in "debug" mode.


Your comment sounded more colloquial than uncivil to me, but thanks for responding so respectfully.


[flagged]


I'm glad you made a new account named 'shutupbitch' just to tell me this. Thank you for your contribution.


Please don't feed trolls.


The "dump environment" problem is an issue for novice developers, but mature shops should have security-conscious frameworks for secrets handling that do things like clear the variable from the environment at initialization time.

What are your other 11 objections?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: