Skip to content

fix: Remove hardcoded API keys security vulnerability #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
piyushkumar0707 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Remove hardcoded API keys security vulnerability #52

piyushkumar0707 wants to merge 1 commit into from
+126 −6

Conversation

@piyushkumar0707
Copy link

@piyushkumar0707 piyushkumar0707 commented Sep 18, 2025

🔒 Security Fix: Remove Hardcoded API Keys

Problem

The application had hardcoded API keys exposed in utils/chatbot.py:

  • GOOGLE_API_KEY was publicly visible in the repository
  • CSE_ID was also hardcoded and exposed
  • This created a critical security vulnerability

Solution

  • ✅ Replaced hardcoded keys with environment variable loading
  • ✅ Added proper error handling for missing environment variables
  • ✅ Created .gitignore to prevent accidental .env commits
  • ✅ Added .env.example template for new contributors
  • ✅ Updated README.md with complete setup instructions
  • ✅ Added security notice about API key management

Files Changed

  • utils/chatbot.py - Fixed security vulnerability
  • .gitignore - New file to protect sensitive data
  • .env.example - Template for required environment variables
  • README.md - Updated with setup instructions and security notice

Testing

  • Verified environment variables load correctly
  • Confirmed application imports work without errors
  • Tested with actual environment file

Impact

  • 🛡️ Security: API keys are no longer publicly exposed
  • 🚀 Production Ready: Application can now be safely deployed
  • 📚 Developer Experience: Clear setup instructions for contributors
  • 🔄 Maintainable: Follows security best practices

This fix resolves a critical security vulnerability and makes the project production-ready.

@piyushkumar0707
fix: Remove hardcoded API keys security vulnerability
d1b6cc5 
- Replace hardcoded GOOGLE_API_KEY and CSE_ID with environment variables
- Add proper error handling for missing environment variables
- Create .gitignore to prevent accidental exposure of .env files
- Add .env.example template for new contributors
- Update README.md with comprehensive setup instructions
- Add security notice about API key management

Resolves security vulnerability where API keys were publicly visible in source code.
This makes the application production-ready and follows security best practices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@piyushkumar0707