This is why you should use a secrets manager like Doppler (https://doppler.com) or AWS Key Management Service (AWS KMS). Hardcoding your secrets or storing them in .env files will always risk something like this happening.
I wouldn't have expected to see Augmented Reality (AR) Marketing as one of the trends listed in this post. I think we're a little far off from it being a truly viable tactic.
You should know what they are doing and keep an eye on them, but I think it's important to be careful not to copy them and solve problems in your own way.
We've been using commit messages to tell a story using our git history and it's improved our code review process. By doing this, we've created a commit history that clearly details all the steps leading up to each change. By organizing our commits this way, we’re making our PRs easier for others to understand and giving ourselves a chance to refine our work. We also often spot opportunities to simplify or improve the code that we might have missed the first time around.
I've always liked this model for my own projects. However, I'm not sure it really builds trust, especially from a security standpoint. Open sourcing could mean more eyes on the code, potentially leading to better security through community audits. Yet, it also means exposing the inner workings to everyone, including those with malicious intent. A hosted version does offer a layer of professional oversight, which is reassuring, but I wonder about the implications for users who opt for the self-hosted route. How would you ensure they feel confident in the security and reliability of the software, knowing that they have the same access to the code as anyone else?
I would love to hear more thoughts on balancing these aspects to build and maintain trust with users.
Tracking for you and your team. So if a developer on your team goes rogue, you know when and what happened, just like how you can see who committed when and what on GitHub.
Your backend is as secure as you make it. The critical point is that if designed properly, this method is better than directly storing and using API keys from within your app.
I can assure you that another Software Engineer at Doppler and I wrote this blog - not AI. Feel free to ask anything. Thank you for the feedback.