Question

It’s difficult to completely prevent sensitive information leaks. But you can reliably lower the possibilities of information disclosure by safeguarding your data during the development process.

完全阻止敏感信息泄露是困难的。但你可以通过在开发过程中保护数据，可靠地降低信息泄露的可能性。

The most important measure you should take is to avoid hardcoding credentials and other sensitive information into executable code. Instead, you can place sensitive information in separate configuration files or a secret storage system like Vault ( https://github.com/hashicorp/vault/ ). Also, audit your public code repositories periodically to make sure sensitive files haven’t been uploaded by accident. Tools can help you monitor code for secrets, such as secret-bridge ( https://github.com/duo-labs/secret-bridge/ ). And if you have to upload sensitive files to the production server, apply granular access control to restricts users’ access to the files.

你应该采取的最重要的措施是避免将凭据和其他敏感信息硬编码到可执行代码中。相反，可以将敏感信息放在单独的配置文件或像 Vault（https://github.com/hashicorp/vault/）这样的秘密存储系统中。另外，定期审核公共代码库，以确保敏感文件没有被意外上传。工具可以帮助您监视包含秘密的代码，例如 secret-bridge（https://github.com/duo-labs/secret-bridge/）。如果您必须上传敏感文件到生产服务器，则应用精细的访问控制以限制用户对文件的访问。

Next, remove data from services and server responses that reveals technical details about the backend server setup and software versions. Handle all exceptions by returning a generic error page to the user, instead of a technical page that reveals details about the error.

接下来，要从服务和服务器响应中移除透露后端服务器设置和软件版本的技术细节数据。处理所有异常情况时，向用户返回通用的错误页面，而不是一个透露错误详细信息的技术页面。