Some secret management belongs in your HTTP proxy

Article

TL;DR: Route outbound API calls through an MITM proxy that injects secrets, keeping keys out of app code.

Key Takeaways

• Proxy intercepts outbound HTTPS, injects auth headers — app never touches raw API keys
• Still requires app-to-proxy authentication; one compromised proxy key still exposes all services
• Bonus: enables URL rewriting to hit dummy servers in tests without code changes

Discussion

• [sakisv]: Moves the problem one level — proxy auth key still exposes all services if leaked
• [rtrgrd]: TLS MITM certs for header injection is a meaningful security risk itself
• [danlitt]: URL rewriting enables clean test mocking without touching application code
• Conceptually sound but community flagged that it shifts rather than eliminates the key exposure problem.

Discuss on HN