Protecting your sensitive variables when using heroku
At some point while building my app, I realized that hard coding my Wunderground API key into my files wasn’t the best idea. It would be quite easy for a malicious person to obtain my key from my github files. I’m aware that the chances of someone wanting my free API key are slim, but being secure is a good habit to practice.
First I tried using a getKey function which I placed in a file I hid with .gitignore. It looked something like this:
function getKey() { return '48927294202748920fjs928'; } module.exports.getKey = getKey;
And then I would import this file and call the getKey function when I needed my key. I thought all of this was very clever... until my heroku app broke.
Since heroku also uses git, my getKey file was being ignore online also. Which, really, should have been obvious. But live and learn!
I needed a new way to hide my key, but still use it. Fortunately, heroku allows you to set hidden variables, called config vars, for your project. Vars can be set with:
heroku config:set KEY='48927294202748920fjs928'
And then if you run heroku config you should see
== your-project-here Config Vars KEY: '48927294202748920fjs928'
Great! We have set our variables. Now we need to alter our code so we can access them. Every language will access these config vars a bit differently. In node.js, to use my API key, I call process.env.KEY and all should work properly.
For local deployment or quicker and more convenient testing, you can set these variables in a .env file. Then when you run your program with foreman start you should be able to access the config variables.













