Don't leave ENV keys in unmaintained software

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the security category.

Last Updated: 2024-10-12

Do not leave sensitive ENV keys and secrets in old software unnecessarily

Specifically, on my personal website I used to sell e-books, but since stopped.

Years later, after the site had been on Zombie mode, I got notifications that the Ruby version on it was dangerously out of date and there were probably security holes. Ditto for the Ubuntu version (14 vs 20 being the current one)

The "right" thing to do is upgrade the code. But I didn't have the time. So instead I removed the primary sensitive info so I didn't have to worry about the worst case if hacked.

STRIPE_PUBLISHABLE_KEY:       pk_live_12121212121212112312312T
STRIPE_SECRET_KEY:            sk_live_1212121212121112121212ll