Some secret management belongs in your HTTP proxy
https://blog.exe.dev/http-proxy-secretsArticle
TL;DR
Inject API keys at a local proxy so app code never holds production credentials directly.
Key Takeaways
- App authenticates to local proxy; proxy injects real secrets into outbound requests at runtime
- GitHub App integration is the strongest case: native token refresh vs fragile 90-day PAT rotation
- Still requires securing the proxy — moves the problem one layer without eliminating the attack surface
Discussion
Top comments:
- [sakisv]: Moves the credential problem one step away; proxy auth becomes the new single point of failure
- [MyUltiDev]: GitHub App rotation is genuinely free here; PAT expiry is the painful failure mode this solves
- [rtrgrd]: Setting up certs to MITM HTTPS to inject headers introduces its own security risk
| Type | Link |
| Added | Apr 22, 2026 |
| Modified | Apr 22, 2026 |
| comments | 10 |
| hn_id | 47825888 |
| score | 40 |
| target_url | https://blog.exe.dev/http-proxy-secrets |