Prefer using environment variables over hard-coded credentials?
Closed this issue · 3 comments
Would you accept a pull request to change the README to suggest the use of credentials set by environment variable over hard-coded credentials? Doing so reduces the attack surface somewhat.
Sure, if it makes sense, I'm open. However could you elaborate on that? Why does it reduce the attack surface? You still have to store the credentials somewhere (most likely its going to be ~/.bashrc
for env vars). What type of attack do you mean? AFF is mostly used on local developer machines.
@pmazurek Ah, I meant more that they wouldn't be stored anywhere. Instead, they'd be generated when required (and then available on a per-shell basis), rather than stored on disk.
Interesting approach, how would you go about implementing it? I'm mostly interested in the on-the-go credentials generation, as I currently have no clue on how would that work.
Anyways as the main question has been answered, I think we can close this issue, and discuss further on the PR if its opened?