is security broken down?
Closed this issue · 1 comments
In the file '/development.ini', API secrets (google, facebook, and twitter) that used by velruse are revealed. Thus, I would like to notice that this made the system vulnerable, perhaps.
I would suggest the best practice to only provide a sample configuration file (like 'development.ini.sample') instead of the real one described above. For the development environment, especially in production, the file 'development.ini' real configuration files should be listed in '.gitignore'.
For more information,
https://help.github.com/articles/ignoring-files
http://git-scm.com/docs/gitignore
Thank you, for your suggestion. The API secrets that identify on development.ini is a test API service. When Pumbaa deploy, I change the secret key to other API and available on production.ini. However, your suggestion let me know, there are people interest this project. Next time, I will carefully commit code. Then I will follow for your suggestion to make Pumbaa more secure and better. By the way, let me know if you find any bur or more suggestion for Pumbaa project.
Thank you,