Skip to content

How should secrets like API keys and database passwords be managed in an application?

Short answer

Never hardcode secrets in source or commit them to git. Store them in a dedicated secrets manager or vault, inject them at runtime, scope access with least privilege, rotate regularly, and prefer short-lived dynamic credentials over long-lived static ones. Audit every access.

Secrets — API keys, DB passwords, signing keys, tokens — are high-value targets because a single leaked one can unlock entire systems. Managing them well is mostly about keeping them out of the places they tend to leak and limiting the damage if one does.

The cardinal rule: not in code

Secrets must never live in source code, config files committed to version control, container images, or client-side bundles. Git history is forever — a secret committed once is compromised even after you delete it, so it must be rotated, not just removed. Embedding secrets in a compiled binary doesn't help either; they're trivially extractable.

Centralize and inject

Store secrets in a purpose-built secrets manager or vault (HashiCorp Vault, AWS Secrets Manager, cloud KMS-backed stores). The application fetches them at runtime via an authenticated identity, or they're injected as environment variables/mounted files by the platform. This centralizes control, encryption, and auditing.

Limit blast radius

  • Least privilege: each service can read only the specific secrets it needs.
  • Rotation: rotate secrets on a schedule and immediately on suspected exposure.
  • Short-lived dynamic credentials: the best pattern — the vault generates a credential on demand that expires in minutes, so a leaked secret is useless almost immediately and there's nothing long-lived to steal.
  • Audit logging: record every secret access to detect misuse.

The bootstrapping problem

There's always a "secret zero" — the initial credential an app uses to authenticate to the vault. Solve it with platform-provided workload identity (instance roles, OIDC federation, mTLS) rather than yet another static secret.

What interviewers look for

The baseline is "never hardcode, use a vault." The mid-level signal is rotation, least-privilege scoping, and especially favoring short-lived dynamic credentials, plus awareness of the secret-zero bootstrapping challenge.

Likely follow-ups

  • Why are short-lived dynamic credentials better than static ones?
  • A secret leaked into git history — what do you do?
  • How do you handle the 'secret zero' bootstrapping problem?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.