The $20 Billion Problem
Leaked API keys and secrets are one of the most common and costly security failures. GitGuardian scans found over 10 million secrets exposed in public GitHub repositories in 2025. A single leaked AWS key can result in thousands of dollars in unauthorized charges within hours.
If you're a developer working remotely, your API keys are even more at risk — you're working on shared networks, personal devices, and multiple machines.
The Cardinal Rules
- Never commit secrets to git. Not even "temporarily"
- Never hard-code secrets in source code. Not even for testing
- Never share secrets via Slack, email, or chat. Use a secrets manager
- Always use environment variables for configuration
- Rotate keys immediately if you suspect exposure
Setting Up .gitignore Correctly
Before you write any code, ensure your .gitignore blocks all secret files:
# Environment files
.env
.env.local
.env.*.local
.env.production
.env.staging
# Cloud provider credentials
*.pem
*.key
credentials.json
serviceAccountKey.json
# IDE-specific
.idea/
.vscode/settings.json
Using Environment Variables
Instead of:
// NEVER DO THIS
const API_KEY = "sk-abc123...";
Do this:
// CORRECT
const API_KEY = process.env.API_KEY;
And store the actual value in .env:
API_KEY=sk-abc123...
Secrets Managers for Teams
For teams, environment variables alone aren't enough. Use a secrets manager:
| Tool | Type | Best For | Price | |------|------|----------|-------| | GitHub Secrets | Built-in | GitHub Actions CI/CD | Free | | Doppler | SaaS | Multi-environment sync | Free tier | | HashiCorp Vault | Self-hosted/Cloud | Enterprise | Free (OSS) | | AWS Secrets Manager | Cloud | AWS workloads | $0.40/secret/month | | 1Password Secrets Automation | SaaS | Teams using 1Password | Included in business plan |
GitHub Secret Scanning
GitHub automatically scans for known secret patterns (API keys, tokens, passwords) in your repositories. Enable push protection to block commits containing secrets:
- Repository Settings > Security > Code security and analysis
- Enable "Secret scanning"
- Enable "Push protection" — this prevents commits with detected secrets from being pushed
What to Do If a Secret Is Leaked
- Revoke the key immediately — don't just remove it from the code
- Generate a new key from the provider's dashboard
- Update all services using the old key
- Check for unauthorized usage in the provider's logs
- Clean git history using
git filter-repo(not just removing from current commit) - Audit access logs for suspicious activity during the exposure window
Remember: removing a secret from the latest commit does NOT remove it from git history. The old commit still contains it.
How We Verified
Practices based on OWASP API Security Top 10, GitHub security documentation, and GitGuardian research. Tools verified with current versions. April 2026.
Related Guides
10 Secure Browsing Habits Every Remote Worker Should Build (2026)
Simple daily habits that dramatically reduce your risk. HTTPS checking, URL verification, download safety, and more.
Sarah ChenSecure Job Searching: Protect Your Privacy While Looking for Work (2026)
Job searching exposes your personal data to recruiters, job boards, and potential scammers. How to search safely while protecting your identity.
Sarah ChenVPN for Accountants & CPAs: Protect Financial Client Data (2026)
Accountants handle the most sensitive financial data. VPN setup for tax season security, client portal access, and IRS compliance.
Sarah ChenWas this guide helpful?
Advertisement
Ready to Get Protected?
Take the next step in securing your remote work setup.
Sources & Citations
- 1GitHub: Secret scanning — docs.github.com
- 2OWASP: API Security Top 10
- 3GitGuardian: State of Secrets Sprawl 2026