Security Issue: Handling Secrets in Constants inside Cloud Foundry
According to the Mendix Buildpack documentation, Constants are set, using environment variables: >>> Configuring Constants The default values for constants will be used as defined in your project. However, you can override them with environment variables. You need to replace the dot with an underscore and prefix it with MX_ . So a constant like Module.Constant with value ABC123 could be set like this: cf set-env <YOUR_APP> MX_Module_Constant "ABC123" <<< In cloud foundry however, inside your apps manager you can see the clear text values of Constants that contain secrets, password or encryption keys. This could be problematic. I suppose the best way to treat this, is set these sensitive items as runtime arguments, although I’m not sure. Or, how do we set a custom YAML file with constant values so that the startup.py script picks it up? Thanks, Herman
For exactly this reason I prefer to use the encryption module to store the values encrypted in the database.
And of course that can be pulled out and decrypted as well, but is a bigger hassle than environment constants