It's App Dev 101: Don't hard-code API tokens, encryption keys, and user credentials. But if you do, make sure to get them out of your code before committing to GitHub or other public code repositories.
Four years ago, GitHub introduced a search feature that made it easy to find passwords, encryption keys, and other sensitive information within publicly available repositories. The problem hasn't improved; last year, researchers found 1,500 Slack tokens across GitHub projects, which could have been abused by others to gain access to chats, files, and other sensitive data shared within private Slack teams.
To read this article in full or to leave a comment, please click here