https://github.com/zimbatm/go-secretvalue
https://github.com/zimbatm/go-secretvalue
Last synced: 5 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/zimbatm/go-secretvalue
- Owner: zimbatm
- License: apache-2.0
- Created: 2019-04-18T16:51:24.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2023-12-15T02:35:32.000Z (over 2 years ago)
- Last Synced: 2025-04-07T12:33:42.248Z (about 1 year ago)
- Language: Go
- Homepage:
- Size: 10.7 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# go-secretvalue - Don't send secrets to logs
This Go library doesn't do much except encourage your to mark all your
application secrets properly.
Instead of:
```go
secret := os.GetEnv("OAUTH_TOKEN")
```
Write:
```go
secret := secretvalue.New("oauth-token")
secret.SetString(os.GetEnv("OAUTH_TOKEN"))
os.Unsetenv("OAUTH_TOKEN")
```
By doing so, it will prevent the secrets from going to the logs inadvertedly.
The `secret.String()` function exposes the secret name instead of the value,
which avoids sending these into logs by mistake. This happens a lot, trust me.
## StringFlag
This library can also be used with the stdlib flag library. See
string_flag_test.go for an example.
## Companies that have sent passwords to logs by mistake
Remember these are only publicly known instances.
* Twitter: https://arstechnica.com/information-technology/2018/05/twitter-advises-users-to-reset-passwords-after-bug-posts-passwords-to-internal-log/
* GitHub: https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/
* Facebook: https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users
* ...
## Missing features
* Optionally use `mlock(2)` on supported systems to prevent the value from
going to swap.
## Other attacks
This library doesn't prevent the value from going to swap disk. Make sure to
disable swap on all of your servers. `swapoff -a`