Avoid committing secrets: Do not store real API keys, tokens, or passwords in code or docs. Use environment variables: Reference secrets as $VAR in examples (e.g., -H "x-api-key: $API_KEY"). Keep .env private: Do not commit .env; set config on Heroku via heroku config:set. Rotate exposed keys: If a secret is accidentally shared, rotate it immediately and invalidate old tokens. Least privilege: Create minimal-scope API tokens (read-only unless write is required). Transport security: Prefer HTTPS/TLS endpoints; never send secrets over plain HTTP. Logging: Do not log secrets; scrub tokens from error messages. Secret scanning: Periodically scan the repo for Authorization: Bearer, x-api-key, and known key patterns.

# Use env variables instead of hardcoding
export API_KEY="your_generated_key"
curl -X POST https://your-app/api/invoice/process/upload \
  -H "x-api-key: $API_KEY" \
  -F "invoice=@path/to/invoice.pdf"

heroku config:set API_KEY="new-rotated-key" --app wolfpak-line-bot
heroku restart --app wolfpak-line-bot

• Pre-commit hooks: This repo includes .pre-commit-config.yaml to prevent committing .env files and common secret patterns (OpenAI sk-..., AWS AKIA..., GitHub tokens, private keys). Enable locally:

  1. Install pre-commit: pipx install pre-commit or pip install --user pre-commit
  2. Install hooks: pre-commit install
  3. Run on all files (optional): pre-commit run --all-files

• CI secret scanning: GitHub Actions runs TruffleHog on pushes and PRs to flag potential secrets in diffs and history.

• Never commit secrets: Keep real values only in .env (gitignored) or in platform config vars (Heroku). Use .env.example for placeholders.