Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: move hardcoded bootstrap API key to env var

Browse Source 
PUBLIC_AE_BOOTSTRAP_KEY replaces the hardcoded 'IDF68Em5X4HTZlswRNgepQ' in:
- src/routes/+layout.ts (site-domain bootstrap request)
- src/routes/testing/+page.svelte (trace agent key)

Added to .env.staging, .env.prod, .env.local (gitignored), and updated
.env.staging.default / .env.prod.default with XXXX placeholders.
Key can now be rotated independently from the main API secret key.
This commit is contained in:
Scott Idem
2026-03-10 16:30:11 -04:00
parent b7d9e9669d
commit f03627ef3c
4 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.env.staging.default
View File

@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
PUBLIC_AE_API_PATH=
PUBLIC_AE_API_SECRET_KEY=XXXX
PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
# Separate from the main API key — has limited permissions (no account_id required).
PUBLIC_AE_BOOTSTRAP_KEY=XXXX
PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here