How safe are my secrets?

Hi devs,

Just wondering… if I want to connect to an external database and I save my credentials in a file that I keep out of git… how sure can I be that this file will not be accessible by either Viktor or the apps users? Is there any policy about that?

Thanks in advance!

Hi Rob,

In general we do not advise to store credentials in plain text. We use a dedicated variable, VIKTOR_APP_SECRET that we can set on app runtimes in production to access credentials from the app code. It is the responsiblility of the developer that the credentials are subsequently handled in a secure way in the code itself. Currently, it is not yet possible to set this variable from the user interface or CLI for published applications, so if this is required we work together with the developer to share and set the credentials in a secure way.

While developing apps on your development environment the app code isn’t sent to any of our servers, all jobs are executed on your machine either inside a docker container or python virtual environment. You can use the -e or --env flag to start the app with additional variables.

You can find more information on our privacy policy here: VIKTOR: Privacy. On top of that we are currently in the process of becoming ISO 27001 compliant.

If you have other questions please let me know!

1 Like