Node Secrets Assignment

Due: Sun, Aug 24, 2025 @ 10:59 PM CDT • 20% weight

Summary

Show 3 different ways of using secrets with a simple node app. Don’t keep hard coded or plaintext passwords around if you can help it. Best way is to use a real secrets manager like AWS Secrets Manager, but here we just demo 3 ways.

Best Practices

• Central secrets control plane
• Access control lists (ACLs)
• Dynamic secrets
• Encryption as a service
• Auditing

1. Hard coded secret

Make a repo with a simple node app. Hard code one variable (like a fake API key) and use it in your app. Example:

const secretKey = "hardcoded123";
console.log("My secret is:", secretKey);

2. Shared secrets file (all files in repo)

Put a secrets.json file in your repo. Push it to GitHub. When I clone your repo and run it, the app should work with those secrets. Then see if GitHub complains.

// secrets.json
{
  "dbPassword": "mypassword"
}

// app.js
const secrets = require("./secrets.json");
console.log("dbPassword is:", secrets.dbPassword);

3. Non-shared secrets file

No hard coded secrets, no secrets file in repo. Use a .env file that is not committed. The app should break without it, and in your README explain what secret is needed.

// .env (not in repo)
API_KEY=supersecret

// app.js
require("dotenv").config();
console.log("API key:", process.env.API_KEY);

Demo Repositories

• Hardcoded Secret Demo (GitHub) | Hardcoded Demo (GitHub Pages)
• Shared Secret Demo (GitHub) | Shared Demo (GitHub Pages)
• Non-shared Secret Demo (GitHub) | Non-shared Demo (GitHub Pages)

Resources

HashiCorp 5 Best Practices for Secrets Management