---
title: Use Secrets Management For Backend Secrets
impact: CRITICAL
impactDescription: centralizes and secures credential storage
tags: secrets, vault, credentials, configuration, security
---

## Use Secrets Management For Backend Secrets

Hardcoded secrets are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems.

**Incorrect (hardcoded or plain env files):**

```go
// Hardcoded in code
const APIKey = "sk-abc123xyz789"

// .env file committed to repo
DATABASE_URL=postgres://admin:password@localhost/db
```

**Correct (secrets management):**

```go
// Using secrets manager (AWS, HashiCorp Vault, etc.)
dbPassword, _ := secretManager.GetSecret(ctx, "production/db-password")

// Kubernetes secrets
secret := os.Getenv("DB_PASSWORD") // Mounted from K8s secret

// Environment-specific with validation
config := struct {
    DBPassword string
}{
    DBPassword: os.Getenv("DB_PASSWORD"),
}

if config.DBPassword == "" {
    log.Fatal("DB_PASSWORD environment variable required")
}
```

**Best practices:**
- Never commit secrets to version control
- Use secrets rotation
- Audit secret access
- Use different secrets per environment

**Tools:** HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
