Here are some best practices for preventing API key leaks.
Key Management and Rotation
A crucial aspect of preventing API key leaks is proper key management and rotation.
Regular Rotation: API keys should be reset regularly to limit the time an attacker has access to them if they are compromised. The recommended rotation interval is every 90 days.
Secure Storage and Handling
Storing and handling API keys securely is fundamental to preventing leaks.
Never Expose Keys on the Client-Side: API keys should never be stored or exposed in client-side code or repositories such as Github, such as in a web browser or mobile app or anywhere visible on the frontend. All requests should be routed through a backend server that is private and not accessible to bad actors, ideally store the credentials in a secret manager can securely store and use the keys. If your using a third party platform to store the keys or send requests, its worth verifying their legitimacy, security and the worst case contacting us for feedback.
Avoid Hardcoding Credentials: Never store credentials directly within the application code. While it can be convenient for testing, it is a risk especially with a shared repository.
Use a Secure Vault: For the most important secret information, it is recommended to use a secure vault, eg) Hashicorp Vault.
Securely Store Database Credentials: Authentication credentials for backend databases should be stored in a centralized, locked-down location. Many development cloud providers provide a secure, encrypted store for this purpose (such as AWS having Secrets Manager)
Monitoring and Detection
Continuous monitoring and detection are essential for identifying and responding to potential key leaks.
Change password on regular basis
Implement Logging: Maintain detailed audit logs of all API requests to help investigate any security incidents. All authentication activities, successful or not, should be logged.
Set Up Alerts: Configure alerts on your platform side for unusual activity, such as a sudden spike in requests or requests from an unfamiliar IP address.
General Security Practices
In addition to the above, the following general security practices are recommended:
Use HTTPS: Always use HTTPS to encrypt data transmitted between your application and the API server.
Educate Your Team: Ensure your team understands the risks associated with API keys and follows secure practices. Human error is a common cause of security issues.
Strong Password Policy: Implement a strong password policy for any system that has access to API keys. This includes using strong, iterative, salted hashes for storing user passwords.
Incident Response Plan: Develop and maintain a robust Incident Response Plan (IRP) to quickly mitigate security breaches.
Principle of Least Privilege: Users and applications should only have access to the data and functionality required for their role.
