How to save sensitive data on heroku?

Question

I have linked my GitHub to a Heroku project and I want to use nodemailer. At some point I want to make this repository public, so obviously I do not want to commit a file that contains sensitive info (email and pass). Is there a way to store this data and just include it at any .js file without it appearing in my GitHub?

Answer 1

You can set all your environmental variables on the Heroku website, as well as through the CLI. Just click on Settings>Reveal Config Vars while you're inside your project on Heroku. Enter your .env keys/values there. (I'm assuming you're talking about your .env variables). Here are their docs: https://devcenter.heroku.com/articles/config-vars
If you're not familiar with storing environmental variables to keep your variables secret, this is how it's done locally. You'd include the .env file on your .gitignore or equivalent to whichever environment you're working in so it's not included when you upload it to Heroku or any other hosting site. It's a pretty important step, so here's the repo on that in case you're not familiar: https://github.com/motdotla/dotenv#readme
Dotenv(.env) is not all encompassing, but it's what I generally use.

Answer 2

In every application you 'externalize' the configuration settings, especially sensitive attributes (passwords, tokens, etc..).

In Heroku the suggested approach is to use ConfigVars: define an environment variable for each of the setting and do not hardcode/commit these in your code.

You can set the ConfigVar using the Heroku CLI (see below an example) or directly in the Heroku Web Dashboard.

heroku config:set PASSWORD="xyz"