mirror of
https://github.com/simonw/datasette.git
synced 2026-07-08 08:34:42 +02:00
Advise plugin authors on naming secret configuration keys
/-/config redacts values for keys whose names contain secret, key, password, token, hash or dsn. Plugins that follow that naming get automatic redaction; plugins that don't will leak their secrets on that endpoint. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01GrHZSypDfMnym1tM5XJAFZ
This commit is contained in:
parent
3322e1f528
commit
8154f7149f
1 changed files with 2 additions and 0 deletions
|
|
@ -459,6 +459,8 @@ Secret configuration values
|
|||
|
||||
Some plugins may need configuration that should stay secret - API keys for example. There are two ways in which you can store secret configuration values.
|
||||
|
||||
The :ref:`/-/config <JsonDataView_config>` introspection endpoint redacts the values of any configuration keys whose names contain one of these substrings: ``secret``, ``key``, ``password``, ``token``, ``hash`` or ``dsn``. Name your plugin's secret configuration keys accordingly - for example ``api_key`` or ``client_secret`` - so they are automatically redacted there.
|
||||
|
||||
**As environment variables**. If your secret lives in an environment variable that is available to the Datasette process, you can indicate that the configuration value should be read from that environment variable like so:
|
||||
|
||||
.. [[[cog
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue