Reputation: 43
Is it bad practice to expose back end on github?
This may be a dumb question, but I am an absolute beginner to back end code and I am trying to practice building applications professionally. Is it considered bad practice to push my application's entire code base excluding database passwords, api keys, and other sensitive bits of data, to a public github repo? Does this set my application, once hosted, in a vulnerable spot? Is it safe if the github repo is set to private? What is a professional way of handling front end and back end on github? I have scoured the web already but "backend" and "github" just brings up results for "github pages does not support server side code." which is interesting, but something else entirely.
Upvotes: 4
Views: 2409
Answers (3)
Reputation: 9884
I don't think there's a short answer for this.
A lot depends on the code quality itself. If you don't use prepared statements to access a database, someone who might want to attack your backend site will probably find an easy way in. If you use prepared statements properly, they probably won't even bother with sql injection attacks.
But the main reason businesses keep their code private is that it is considered sensitive data, just like passwords and api keys. A competitor could simply copy your code if it is in a public repository, then maybe tinker the layout a bit, and be operational within a week with something that took you a year to build, improve and expand.
Still, even when you keep the code private, you should still treat it as if it were public. That means you need to make sure things like passwords and api keys do not end up in the repository.
Also keep in mind that it is hard to delete files from a git repository after they have been committed. If a file is committed in commit 123456 and then deleted in commit abcdef, it is still present in the commit history.
Upvotes: 0
Reputation: 7820
Assuming your application adheres to best practices and does not have vulnerabilities, this is absolutely safe, as long as you do not (accidentally) include any credentials or secrets as you have mentioned.
If your application does have vulnerabilities, putting it on GitHub might actually decrease the danger. If the vulnerability is in a dependency you are using, GitHub might alert you to the vulnerability, making you aware of it and allowing you to fix it. Furthermore, other users might find the flaw, report an issue or PR and help you fix it. Another added benefit is that your code is securely stored off-site, should your own computer become compromised.
On the other hand, a motivated attacker might want to exploit the vulnerability. In order to do that, they'll still need to sift through your code to find it, and then attack you are someone using your software. Unless your software is used by high-value targets or lots of targets, this isn't economical for the attacker.
Is it safe if the github repo is set to private?
Pretty much so. The contents of private repos are regulated in section E of the ToS:
Short version: You may have access to private repositories. We treat the content of private repositories as confidential, and we only access it for support reasons, with your consent, or if required to for security reasons.
I encourage you to read the whole section of the ToS, it is not that long but a worthwhile read if you have concerns about the confidentiality of the private repo.
Note that Microsoft themselves nowadays host the Windows source code on GitHub, in a private repo. And many other companies do as well. GitHub has managed to gain a reputation for being trustworthy in that regard.
Imho, I would not hesitate to publish open source projects publicly on GitHub. But if the project is a closed-source, for profit application, the question arises why you'd like to make the source code available in the first place. A private repo would be much better suited for that.
Upvotes: 5
Reputation: 11
Assuming you're using php, but this also works in other languages.
When I'm building I have all the db/connect credentials in one file, and set each to a variable such as $username, $password ect. and then use an include statement to bring those variables in to the connect file. Then, put that credential file in your .gitignore if you're worried about other people seeing it.
make sure the include statement is before the connection statement though.
for example
//credential.php
$username = 'usernameExample'
$password = 'passwordExample'
//then in your connect file
//connect.php
include 'credential.php'
//put a try block here
$conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
/put a catch block here
for the gitignore, just put make a file and name it .gitignore and put credential.php in
Upvotes: 0
Related Questions
- Security Concerns with Private Repos in GitHub
- Is it a bad idea to have Git repository in production server
- Using github for programming team
- How can use Github for my developer to work on my backend without having to share to much credentials and code?
- Is it safe and recommended to upload SQL to public git repository?
- Github and production server
- Is putting an Angular frontend into a seperate source control repo considered good practice?
- Github Security - Public Project
- Using GitHub as a Version Control Tool for a hosted Drupal Site
- Is what GitHub is doing here a good practice?