[ludicast]

1) This is as many said, just an example of bad practice rather than something specific to AWS. I remember in my php days seeing commented-out php code in html that included db passwords. If putting passwords, api keys, etc. in client-side code doesn't make your hair stand up, well, something is wrong.

2) I would be curious what the backends were in these instances. With the growth of the BaaS-model for app development, I think we're going to see a lot more "offshoring" of these security things, where keys are thrown in the front-end app. "I do it with firebase, why not twilio or aws?"

[varkson]

How would someone manage to get commented out PHP in the HTML? Has the behaviour changed? The only way I can think of doing it would be to replace the PHP open and close with HTML comments. I can't imagine anyone doing that.

[ludicast]

Html commented around the php tags. Don't know behavior these days but back then the php tag with contents was visible in html source.

Guy I was consulting for was famous designer who needed help with web project he talked his way into. Can't be arrogant though, he'd probably laugh at my font, color and layout choices as equally naive/catastrophic.