What is best practice for keeping API keys and access details for the database secure?
We will be deploying with Nodejitsus jitsu deploy so my thought is to have a config file that will not be part of git.
Our current config file which I will have .gitignore'd
module.exports = (app) ->
app.configure 'development', ->
global.config =
dbUrl: 'mongodb://username:password@host:port/closet'
foursquare:
client_id: 'xxx'
client_secret: 'xxx'
redirect_uri: 'http://127.0.0.1:3000/account/auth/foursquare/done'
return
app.configure 'production', ->
global.config =
dbUrl: 'mongodb://username:password@host:port/closet'
foursquare:
client_id: 'yyy'
client_secret: 'yyy'
redirect_uri: 'http://example.com/account/auth/foursquare/done'
return
return
Usually what I do is store my configuration in a config.json, add it to my .gitignore, and then include a .npmignore so that npm doesn't use the .gitignore to decide what to bundle. That way, git doesn't add the config.json yet jitsu bundles it on deploy.
env variables, as booyaa suggested, will also work.