How do I store API keys and secrets without breaking ISO 27001 A.8.24?
Never put the key in source. Read it from the environment or a managed secret store at runtime, keep it out of the repository and the logs, and rotate any secret that was ever committed. ISO 27001 A.8.24 (and plain caution) expects keys to be managed, not hardcoded.
Read secrets from a managed store
Load credentials from environment variables backed by a secret manager (your platform's secrets, a vault, a cloud KMS-backed config), resolved at runtime. The code references the secret; it never contains it.
Keep them out of the repo and the logs
A key in source goes into the repository, its history, and every clone and CI cache. A key in a log line goes wherever your logs go. Neither is undone by deleting the key in a later commit.
Rotate anything that leaked
If a secret was ever committed, treat it as exposed and rotate it. Removing it from the current file does not remove it from the history that already shipped.
- const key = "<the live key, pasted inline>"+ const key = process.env.PAYMENTS_SECRET_KEYconst client = new Payments(key)The key is read from a managed secret at runtime instead of living in the repository.