I remember when a senior developer where i worked was tired of connecting to the servers to check its configuration, so they added a public facing rest endpoint that just dumped the entire active config, including credentials and secrets
That was a smaller slip-up than exposing a database like that (he just forgot that the config contained secrets) but still funny that it happened
I would have put IP address access restrictions on that at the very least. I may have even done something like that more than once for various tools in the past.
That way it acts completely open to people (or other servers) in the right places and denies all knowledge to anything else.
I remember when a senior developer where i worked was tired of connecting to the servers to check its configuration, so they added a public facing rest endpoint that just dumped the entire active config, including credentials and secrets
That was a smaller slip-up than exposing a database like that (he just forgot that the config contained secrets) but still funny that it happened
That’s not a “senior developer.” That’s a developer that has just been around for too long.
Secrets shouldn’t be in configurations, and developers shouldn’t be mucking around in production, nor with production data.
I would have put IP address access restrictions on that at the very least. I may have even done something like that more than once for various tools in the past.
That way it acts completely open to people (or other servers) in the right places and denies all knowledge to anything else.