DO NOT commit the following to git:

• .env files
• API keys in code
• AWS credentials
• SSH keys
• Any file containing secrets

Before committing, check for secrets:

# Check if .env is tracked
git ls-files | grep .env

# Check for API keys in code
grep -r "api_key.*=" --include="*.py" --include="*.js" | grep -v ".env.example"
grep -r "GEMINI_API_KEY" --include="*.py" --include="*.js" | grep -v ".env.example"
grep -r "OPENAI_API_KEY" --include="*.py" --include="*.js" | grep -v ".env.example"

# Check for AWS credentials
grep -r "AWS_SECRET" --include="*.py" --include="*.js" | grep -v ".env.example"

1. Immediately rotate the keys:

   • Generate new API keys
   • Update .env file
   • Revoke old keys

2. Remove from git history:

   # Remove file from git history
   git filter-branch --force --index-filter \
     "git rm --cached --ignore-unmatch backend/.env" \
     --prune-empty --tag-name-filter cat -- --all
   
   # Force push (WARNING: This rewrites history)
   git push origin --force --all

3. Add to .gitignore (if not already):

   echo ".env" >> .gitignore
   git add .gitignore
   git commit -m "Add .env to gitignore"

✅ GOOD:

import os
api_key = os.getenv("GEMINI_API_KEY")

❌ BAD:

api_key = "AIzaSyD..."  # Never hardcode!

✅ GOOD:

# .env.example (commit this)
GEMINI_API_KEY=your_gemini_api_key_here

# .env (don't commit this)
GEMINI_API_KEY=AIzaSyD...actual_key...

Always verify sensitive files are in .gitignore:

# Check .gitignore includes .env
cat .gitignore | grep -E "^\\.env$"

# Verify .env is not tracked
git status --ignored | grep .env

• Development: Use test/sandbox keys
• Production: Use production keys
• Never use production keys in development

• Rotate API keys every 90 days
• Rotate AWS credentials every 180 days
• Immediately rotate if keys are leaked

• .env and all .env.* files (except .env.example)
• *.key, *.pem (private keys)
• credentials.json, secrets.json
• .aws/ directory
• id_rsa, id_ed25519 (SSH keys)
• Any file containing "secret", "key", "credential" in name

Before committing, verify:

# 1. Check for .env files
git status | grep .env
# Should return nothing

# 2. Check for API keys in code
grep -r "api.*key.*=" --include="*.py" --include="*.js" | grep -v ".env.example" | grep -v "os.getenv"
# Should return nothing

# 3. Verify .gitignore is up to date
cat .gitignore | grep -E "^\\.env$"
# Should return: .env

# 4. Check git status
git status
# Review all changes before committing

Create a pre-commit hook to check for secrets:

# .git/hooks/pre-commit
#!/bin/bash

# Check for .env files
if git diff --cached --name-only | grep -E "\.env$"; then
    echo "ERROR: .env file detected in commit!"
    echo "Please remove .env from staging area."
    exit 1
fi

# Check for hardcoded API keys
if git diff --cached | grep -E "(api_key|API_KEY|secret|SECRET)\s*=\s*[\"'][^\"']{10,}"; then
    echo "WARNING: Possible API key detected in code!"
    echo "Please use environment variables instead."
    exit 1
fi

exit 0

Make it executable:

chmod +x .git/hooks/pre-commit

1. Use IAM Roles instead of access keys when possible
2. Limit Permissions: Only grant necessary permissions
3. Use MFA: Enable multi-factor authentication
4. Rotate Keys: Regularly rotate access keys
5. Monitor Usage: Set up CloudTrail to monitor API usage

1. Encrypt Models: Use encryption at rest
2. VPC Configuration: Deploy endpoints in VPC
3. Access Control: Use IAM policies to restrict access
4. Monitor Logs: Enable CloudWatch logging

If you discover a security vulnerability:

1. DO NOT create a public issue
2. Contact the maintainers privately
3. Provide details of the vulnerability
4. Wait for confirmation before disclosing

• GitHub Security Best Practices
• OWASP API Security
• AWS Security Best Practices
• 12-Factor App: Config