---
title: Use Secrets Management For Backend Secrets
impact: CRITICAL
impactDescription: centralizes and secures credential storage
tags: secrets, vault, credentials, configuration, security, php
---

## Use Secrets Management For Backend Secrets

Hardcoded secrets (API keys, database passwords, tokens) are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems or environment variables that are not committed to the repository.

**Incorrect (hardcoded or plain env files):**

```php
// Hardcoded in code
define('API_KEY', 'sk-abc123xyz789');

// Hardcoded in a config file
$config = [
    'db' => [
        'password' => 'super-secret-password'
    ]
];

// .env file committed to repo (vulnerable)
// DB_PASSWORD=password123
```

**Correct (secrets management):**

```php
// Using environment variables (not committed to VCS)
$dbPassword = getenv('DB_PASSWORD');

// In Laravel (using .env which is in .gitignore)
$password = env('DB_PASSWORD');
// Or via config (Recommended)
$stripeKey = config('services.stripe.key');

// Using a dedicated Secrets Manager (e.g., AWS Secrets Manager via SDK)
use Aws\SecretsManager\SecretsManagerClient;

$client = new SecretsManagerClient(['region' => 'us-east-1']);
$result = $client->getSecretValue(['SecretId' => 'prod/db/password']);
$dbPassword = $result['SecretString'];

// Validation at startup
if (!$dbPassword) {
    throw new \RuntimeException('DATABASE_URL environment variable is required but not set.');
}
```

**Best practices:**
1. Never commit `.env` files or hardcoded secrets to version control.
2. Use a `.env.example` to document required variables without real data.
3. Use secrets rotation for critical credentials.
4. Audit access to your production secrets.
5. Use different secrets for development, staging, and production environments.

**Tools:** HashiCorp Vault, AWS Secrets Manager, Dotenv PHP, SonarQube