Skip to content

Security: FIFTHMAGE/LASTMILE

Security

SECURITY.md

Security Guide - API Keys and Sensitive Data Protection

πŸ”’ Protected Files

Your .gitignore files have been updated to protect the following sensitive information:

Environment Variables

  • .env (all variants)
  • .env.local, .env.development, .env.production
  • .env.staging, .env.test

API Keys & Credentials

  • config/keys.js, config/secrets.js
  • config/credentials.json
  • secrets/, keys/, .secrets, .credentials
  • api-keys.json, service-account.json
  • firebase-adminsdk-*.json

Database Credentials

  • database.json, db-config.json
  • mongodb.conf, redis.conf
  • Connection strings and database URLs

SSL Certificates & Private Keys

  • *.pem, *.key, *.crt, *.cert
  • *.p12, *.pfx
  • ssl/, certs/ directories

Authentication Tokens

  • tokens/, .tokens
  • auth-tokens.json, jwt-secret.txt

Cloud Provider Credentials

  • .aws/, aws-config.json
  • .gcloud/, gcloud-service-account.json
  • .azure/, azure-credentials.json

Payment Provider Keys

  • stripe-keys.json, .stripe/
  • paypal-config.json, .paypal/

Third-Party Service Keys

  • sendgrid-api-key.txt
  • twilio-config.json
  • firebase-config.json
  • google-api-credentials.json

πŸ›‘οΈ Current Environment Files Status

Root Directory:

  • βœ… .env - Protected by .gitignore
  • βœ… .env.production - Protected by .gitignore
  • βœ… .env.example - Safe to commit (template only)

Next.js Directory:

  • βœ… .env.local - Protected by .gitignore
  • βœ… .env.example - Safe to commit (template only)

πŸ“‹ Security Checklist

βœ… Completed

  • Updated root .gitignore with comprehensive security patterns
  • Updated Next.js .gitignore with security patterns
  • Protected all environment variable files
  • Protected API keys and credentials
  • Protected database connection strings
  • Protected SSL certificates and private keys
  • Protected authentication tokens
  • Protected cloud provider credentials
  • Protected payment provider keys
  • Protected third-party service keys

πŸ”„ Recommended Next Steps

  1. Verify Git Status

    git status

    Make sure no sensitive files are staged for commit.

  2. Remove Sensitive Files from Git History (if already committed)

    git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch .env' \
--prune-empty --tag-name-filter cat -- --all

  3. Use Environment Variables for All Secrets

    • Database URLs
    • API keys (Stripe, SendGrid, etc.)
    • JWT secrets
    • OAuth client secrets

  4. Example .env Structure

    # Database
MONGODB_URI=mongodb://localhost:27017/lastmile
REDIS_URL=redis://localhost:6379

# Authentication
JWT_SECRET=your-super-secret-jwt-key
JWT_EXPIRES_IN=7d

# API Keys
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
SENDGRID_API_KEY=SG....

# App Configuration
NEXT_PUBLIC_APP_URL=http://localhost:3000
NODE_ENV=development

  5. Secure Production Deployment

    • Use environment variables in your hosting platform
    • Never hardcode secrets in your code
    • Use secrets management services (AWS Secrets Manager, etc.)

🚨 Emergency Response

If you accidentally committed sensitive data:

  1. Immediately rotate all exposed credentials
  2. Remove from git history using the command above
  3. Force push to remote (⚠️ This rewrites history) 
    git push origin --force --all
  4. Update all team members about the security incident

πŸ“ž Support

If you need help with security configuration, refer to:

Remember: Security is everyone's responsibility. Always double-check before committing!

There aren’t any published security advisories