This Stripe API Key is hardcoded. For better security, consider using a .env file. See https://stripe.com/docs/keys#safe-keys for more advice. #222
Comments
gracegoo-stripe
added a commit
that referenced
this issue
Jun 3, 2021
This change only protects against the specific redacted format that Stripe returns which looks something like "sk_live_aa********************1234". It does not attempt to detect other potential ways users can modify the keys nor actually validate that the key is real. This change fixes #220 and #222
gracegoo-stripe
added a commit
that referenced
this issue
Jun 3, 2021
The redaction change is targeted to protect against the specific redacted format that Stripe returns which looks something like "sk_live_aa********************1234". It does not attempt to detect other potential ways users can modify the keys nor actually validate that the key is real. This change fixes #220 and #222
|
Thanks for reporting the bug @dani3l3! We've added logic to ignore .env files from being flagged by our linter in the PR above. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This message/recommendation also triggers for my actual .env file, the key is NOT in the code.
I guess those .env files should be excluded from the scan if the recommendation is to use them... it sounds rather stupid to be scolded because you should be doing something.... that you are actually already doing.
I am using this popular library to handle the .env configuration https://github.com/vlucas/phpdotenv
The text was updated successfully, but these errors were encountered: