{
    "slug": "secrets_management",
    "term": "Secrets Management",
    "category": "security",
    "difficulty": "intermediate",
    "short": "Storing, distributing, and rotating credentials securely — using dedicated tools rather than .env files in version control or hardcoded values in source code.",
    "long": "Secrets (API keys, database passwords, certificates) must never appear in source code, logs, or version control. Tiers: environment variables injected at runtime (basic, sufficient for many apps), secrets managers (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager — audit trails, rotation, fine-grained access), and hardware security modules (HSMs — for cryptographic key material). PHP apps typically read secrets from environment variables injected by the orchestration layer, never from committed .env files.",
    "aliases": [
        "secrets",
        "credentials management",
        "Vault",
        "AWS Secrets Manager"
    ],
    "tags": [
        "security",
        "devops",
        "credentials"
    ],
    "misconception": ".env files are secure because they are in .gitignore — .gitignore prevents future commits but does not remove secrets already committed; the history is permanent unless rewritten.",
    "why_it_matters": "Leaked secrets in git history are the most common cause of cloud account compromises — GitHub scans public repos for credentials and notifies providers, but private leaks require your own monitoring.",
    "common_mistakes": [
        "Committing .env to version control even once — git history is permanent; rotate any secret ever committed.",
        "Logging request parameters or headers that may contain tokens — secrets leak into log aggregators.",
        "Same secrets across environments — a dev credential breach should not unlock production.",
        "Not rotating secrets after team member departure — former employees retain access to any secret they knew."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "hardcoded_credentials",
        "secret_rotation",
        "dotenv",
        "api_key_exposure"
    ],
    "prerequisites": [
        "hardcoded_credentials",
        "configuration_management",
        "api_key_management"
    ],
    "refs": [
        "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
    ],
    "bad_code": "# .env committed to git:\nDB_PASSWORD=supersecret123\nSTRIPE_KEY=sk_live_abc123\nAPP_KEY=base64:xyz...\n\n# Even with .gitignore added later:\ngit log --all --full-history -- .env\n# Shows every historical version — credentials exposed forever",
    "good_code": "# Runtime injection — secret never in code:\n# docker-compose.yml:\nservices:\n  app:\n    environment:\n      DB_PASSWORD: ${DB_PASSWORD}  # Injected from host env or secrets manager\n\n# PHP reads from environment:\n$dsn = 'mysql:host=' . getenv('DB_HOST');\n$pdo = new PDO($dsn, getenv('DB_USER'), getenv('DB_PASSWORD'));\n\n# AWS Secrets Manager (for rotation support):\n$secret = json_decode($secretsManager->getSecretValue(['SecretId' => 'prod/db'])['SecretString'], true);",
    "quick_fix": "Use AWS Secrets Manager, HashiCorp Vault, or Doppler for production secrets — read them at startup into environment variables; never put real secrets in .env files committed to git",
    "severity": "critical",
    "effort": "high",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/secrets_management",
        "html_url": "https://codeclaritylab.com/glossary/secrets_management",
        "json_url": "https://codeclaritylab.com/glossary/secrets_management.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Secrets Management](https://codeclaritylab.com/glossary/secrets_management) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/secrets_management"
            }
        }
    }
}