2.1 KiB
Executable File
2.1 KiB
Executable File
Security: no leaked API keys (modified)
Modified (backendpanel + ontime_flutter) must not contain leaked API keys, FCM server keys, or other secrets in source code or in committed config files. All sensitive values must come from environment variables, secure config, or database (set at deploy time), not from the repo.
Requirement
- Backend: Use only environment variables (e.g.
FCM_CREDENTIALS_*,GOOGLE_MAPS_API_KEY) or DB-stored app settings. No hardcoded keys in PHP or config. - Flutter: No server-side API keys (no FCM server key, no Maps key for server use). Only client-safe config (e.g.
google-services.jsonfrom local/build; do not commit real keys). - SQL / seeds: Any seed or dump that inserts into
app_settings(or similar) must use empty string or placeholder forapi_keyxendit,apikey_server,mobilepulsa_api_key,smtp_password, etc., not production values.
Checklist (run before release)
Backend
- Run (from repo root):
grep -rE "AIza|AAAA|keyfcm|api_key\s*=\s*['\"]" modified/backendpanel/application modified/backendpanel/application/config --include="*.php"
Result must not show real keys; onlygetenv()or DB references are acceptable. - Ensure no
google-services.json,*credentials*.json, or.envfiles containing real keys are committed. These should be in.gitignore(see below).
Flutter
- Ensure no FCM server key, Maps API key (for server use), or other backend secrets in
lib/or committed config. Base URL in app config is acceptable (it is public).
SQL / app_settings
- Any INSERT into
app_settings(or similar) must use empty string''or placeholder (e.g.'YOUR_KEY_HERE') for:api_keyxenditapikey_servermobilepulsa_api_keysmtp_passwordapi_passwordapi_token
Never commit production keys in SQL dumps or seed files.
Automated check (optional)
Run the script in this folder to scan for common secret patterns:
./scripts/check-no-secrets.sh
Exit code 0 means no patterns found; non-zero means potential leak (inspect and fix).