|
|
|
|
|
|
by halfcat
336 days ago
|
|
|
I don’t know about varlock, but 1Password’s `op` CLI tool seems to hook the STDOUT pipe and find/replace any instances of the secrets with “concealed by 1Password”. It works even if I drop into a REPL and try every way I can think of to print it out to the console. So it would seem, on that front, that 1Password is doing the heavy lifting. Using 1Password in this way has proven way better than storing .env files in plain text on dev machines, where the .env files get picked up if a company does backups, or someone stores a repo in their Dropbox folder, file gets flagged as potential malware and uploaded somewhere for further analysis, etc. |
|
|
The goal here is to just make it dead simple to do the right thing with minimal effort. Get secrets out of plaintext, avoid the need to send them around insecurely, and help make sure you don't shoot yourself in the foot, which is surprisingly easy to do in hybrid server/client frameworks like Next.js.
Can you set up validations, syncing with various backends, and these protections all of this yourself by wiring together a bunch of tools with custom code? Of course... But here's one that will do it all with minimal effort.