By centrally managing confidential information in the local environment with 1Password, you can prevent the risk of disclosing API Keys, etc. to github.
Read More →
How to use AWS Secrets Manager for storing confidential information such as API Keys.
Read More →
Pros of JWT validate the access token without accessing the database get user ID etc from access token without accessing database Pros of JWT-RS Even outside the source of the access token, verify validity and acquire user ID etc using public key How to generate RSA key $ openssl genrsa 4096 > prikey.txt $ # Generate public key $ openssl rsa -pubout < prikey.txt > pubkey.txt $ # Convert secret
Read More →
To save passwords, BCrypt is better than SHA hash Pros Protect against rainbow table attacks (Generate different hashes with the same password) Resistant to brute-force attacks Setup Updating your dependencies // build.gradle dependencies { compile "org.springframework.security:spring-security-core" } Usage ... user.passwordHash = BCryptPasswordEncoder().encode(password) user.save() fun login(userId:String, password: String): Boolean { ... if(!BCryptPasswordEncoder().matches(password, user.passwordHash)){ return false } return true }
Read More →
In AWS (ECS / EC 2), when using database password or RSA secret key, It is good to obtain from AWS Secrets Manager Terraform settings AWS Secrets Manager Create AWS Secrets Manager with terraform resource "aws_secretsmanager_secret" "something" { name = "${var.app_name}/${terraform.workspace}/something" kms_key_id = "${aws_kms_key.main.key_id}" } resource "aws_secretsmanager_secret_version" "something" { secret_id = "${aws_secretsmanager_secret.something.id}" secret_string = "{}" lifecycle { ignore_changes = ["secret_string"] } } IAM Role Add permissions to read/write values to
Read More →