Skip to content

Security: SparshM8/PixelVerse

Security

SECURITY.md

πŸ”’ Security Guidelines

Protecting Confidential Information

This document outlines best practices for keeping sensitive data secure in your Pixel Verse project.

βœ… Current Security Status

Your project is currently SAFE βœ…

  • No API keys found in code
  • No hardcoded credentials
  • No sensitive tokens exposed

πŸ›‘οΈ Best Practices

1. Never Commit Sensitive Data

Never hardcode these in your files:

  • API keys
  • Secret tokens
  • Passwords
  • Database credentials
  • Payment gateway keys
  • Private keys
  • Email credentials
  • OAuth secrets

2. Use Environment Variables

Instead of hardcoding:

// ❌ BAD - Don't do this
const apiKey = "sk_live_abc123xyz789";

Use environment variables:

// βœ… GOOD - Do this
const apiKey = process.env.API_KEY;

3. Use .gitignore

Always include sensitive files in .gitignore:

.env
.env.local
config.js
secrets.js
credentials.json

4. Use .env Files

Create a .env file (NOT committed to Git):

API_KEY=your_actual_api_key_here
DATABASE_URL=your_database_connection

Provide a .env.example template (safe to commit):

API_KEY=your_api_key_here
DATABASE_URL=your_database_url_here

🚨 If You Accidentally Committed Secrets

Option 1: Remove from Latest Commit

# Remove the file
git rm --cached .env

# Update .gitignore
echo ".env" >> .gitignore

# Commit the changes
git add .gitignore
git commit -m "Remove sensitive file and update .gitignore"
git push

Option 2: Remove from Git History (Advanced)

# Remove file from all commits
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch .env" \
  --prune-empty --tag-name-filter cat -- --all

# Force push
git push origin --force --all

Option 3: Use BFG Repo-Cleaner (Recommended)

# Install BFG (easier than filter-branch)
# Download from: https://rtyley.github.io/bfg-repo-cleaner/

# Remove file
bfg --delete-files .env

# Clean up
git reflog expire --expire=now --all
git gc --prune=now --aggressive

# Force push
git push origin --force --all

⚠️ IMPORTANT: After removing secrets, immediately rotate/regenerate any exposed keys!

πŸ“‹ Security Checklist

Before pushing to GitHub:

  • Check for hardcoded API keys
  • Check for passwords in code
  • Verify .env is in .gitignore
  • Review git status before committing
  • Use git diff to check changes
  • Never commit database credentials
  • Use environment variables for secrets
  • Keep .env.example updated (with dummy values)

πŸ” How to Check for Secrets

Manual Check

# Search for common patterns
git grep -i "api_key"
git grep -i "secret"
git grep -i "password"
git grep -i "token"

Automated Tools

# Install git-secrets
git secrets --install
git secrets --scan

# Or use gitleaks
gitleaks detect --source .

πŸ“š Additional Resources

πŸ†˜ Need Help?

If you've exposed sensitive data:

  1. Immediately revoke/rotate the compromised keys
  2. Check if anyone has accessed them (check logs)
  3. Clean Git history using methods above
  4. Update all affected services
  5. Enable 2FA where possible

Remember: Prevention is better than cure! Always double-check before pushing to GitHub. πŸ”’

There aren’t any published security advisories