Secret data in Config on Server

I’m storing some secret keys in the Config on the server and I feel it’s not very secret how it’s kept. If anybody gets into the admin panel that person can easily see the data.

Does Moralis recommend some better way? I have an idea but would like to see if there is something that Moralis recommends.

we recommend that you use your own server to keep those secrets. in the near future we plan on open source the server and at that time you can self host the server

What I’m thinking about are things like api & api secret keys and such. Not private keys

Are you suggesting when I want to do Moralis.httpRequest where I need api(secret) that I first query my server to retrieve those keys? That wouldn’t give me any extra security, just more complications.

Maybe I’m misunderstanding.

You could save API keys, for private keys it is not recommended.

I agree, no private keys :slight_smile:

But I still feel my api keys are bit open, visible in the UI. I would like to give a suggestion, see what you think?

When creating Config, option to have “secret” option. When the secret option is selected, the value of the config is encrypted using a secret key that is nowhere visible in the UI.

This secret key is only available 1 time when the user creates it, after that it cannot be retrieved in the UI (or it’s never available).

Then when the user calls the config using Moralis.Config.get, the server sees that this is a secret and decrypts the content. Similar to Github secrets the server would prevent any logging of the key to logs (as possible)

as in the near future the plan is to open source the server part and you will self host it, at that time you can make any implementation that you want

1 Like