0

I have an app with several secret keys stored in various yml files e.g. amazon aws keys stored in amazon.yml, pusher keys stored in pusher.yml and plenty more for various other features.

The codebase for the app is stored in a private (paid) GitHub repository, so the keys are protected from public access. However, I'm planning on pushing to heroku - and I will be pushing the application as is.

Will the keys be accessible to the public this way? Or does heroku do a good job of hiding/protecting the GitRepo that is pushed to heroku's server.

Please help clear this up for me.

Thanks!

user3399101
  • 1,477
  • 3
  • 14
  • 29

2 Answers2

1

Both the repo and app config settings are accessible only to people who have been authorized to access the app.

mipadi
  • 398,885
  • 90
  • 523
  • 479
0

Further to @mipadi, Heroku's system runs on AWS - which basically means it manages a VPS / server instance on your behalf

--

ENV

The ENV variables in your Heroku app are best likened to the Unix ENV variables, often stored in /etc/environment on a VPS. These are OS-level variables, which means that only if someone gains access to the OS can the variables be accessed / used

--

Code

When you mention the safety of deploying the source to Heroku, you need to remember that Heroku also uses the git SCM system - meaning you're pushing the git-ready version of your code. All the dependencies, sensitive data & database storage is not linked to your Heroku app directly; giving you extra security

If you're truly concerned with Heroku's security, your best bet is to get a VPS on the likes of RackSpace or similar. However, it's the same setup whether you use Heroku or not

Richard Peck
  • 76,116
  • 9
  • 93
  • 147