Hugging Face's logo

Spaces:
vimalk78
/
abc123
Running

App Files Community
abc123 / docs /SECURITY.md
vimalk78's picture
vimalk78
feat: Add comprehensive AI-powered crossword generation system
eb7f5ba
preview code
|
raw
history blame
3.77 kB

Security Guidelines - Crossword App

πŸ”’ Environment Variables & API Keys

βœ… Secure Practices Implemented

1. Environment Files

  • βœ… .env files are gitignored
  • βœ… .env.example template provided
  • βœ… No real secrets in source code
  • βœ… Automatic setup script provided

2. API Key Management

Local Development:

# 1. Set up environment
./setup-env.sh

# 2. Edit .env with your real key
HUGGINGFACE_API_KEY=hf_your_real_key_here

# 3. .env is automatically gitignored

Production Deployment:

  • HuggingFace Spaces: Use Settings β†’ Environment Variables
  • Railway/Heroku: Use config vars
  • Docker: Pass as runtime environment variables

3. Default Security

  • πŸ›‘οΈ Graceful fallback when API keys missing
  • πŸ›‘οΈ No crashes on missing configuration
  • πŸ›‘οΈ Warning messages instead of errors
  • πŸ›‘οΈ Safe defaults for all settings

🚨 What NOT to Do

❌ Never commit real API keys:

// ❌ NEVER DO THIS
const apiKey = 'hf_real_key_here';

❌ Never hardcode secrets:

// ❌ NEVER DO THIS
const config = {
  huggingfaceKey: 'hf_abcd1234...'
};

❌ Never share .env files:

# ❌ NEVER DO THIS
git add .env
git commit -m "added config"

βœ… Safe Patterns

βœ… Always use environment variables:

// βœ… SAFE
const apiKey = process.env.HUGGINGFACE_API_KEY;

βœ… Always check for existence:

// βœ… SAFE WITH FALLBACK
if (!apiKey || apiKey === 'hf_xxxxxxxxxx') {
  console.warn('API key not configured, using fallback');
  return this.fallbackMethod();
}

βœ… Always use templates:

# βœ… SAFE
cp .env.example .env
# Edit .env with real values

πŸ“ File Security

Gitignore Coverage 

# Environment files
.env
.env.local
.env.*.local

# Security files
*.key
*.pem
.secret
secrets/

File Structure 

backend/
β”œβ”€β”€ .env.example          # βœ… Safe template (committed)
β”œβ”€β”€ .env                  # πŸ”’ Real values (gitignored)
β”œβ”€β”€ .env.backup           # πŸ”’ Backup (gitignored)
└── setup-env.sh          # βœ… Setup script (committed)

πŸš€ Deployment Security

HuggingFace Spaces

  1. Go to Space Settings
  2. Add Environment Variable: HUGGINGFACE_API_KEY
  3. Set value to your real API key
  4. Restart space

Docker Deployment 

# Runtime environment variable
docker run -e HUGGINGFACE_API_KEY=hf_your_key app

CI/CD Pipelines 

# GitHub Actions example
env:
  HUGGINGFACE_API_KEY: ${{ secrets.HUGGINGFACE_API_KEY }}

πŸ” Security Verification

Pre-commit Checklist

  • No real API keys in code
  • .env in .gitignore
  • Only .env.example committed
  • All secrets use environment variables
  • Fallback mechanisms working

Testing Security 

# Test without API key
unset HUGGINGFACE_API_KEY
npm run dev
# Should work with fallback

# Test with invalid key
export HUGGINGFACE_API_KEY="invalid"
npm run dev
# Should gracefully fallback

πŸ“š Resources

πŸ†˜ If API Key Gets Exposed

  1. Immediately revoke the key at https://huggingface.co/settings/tokens
  2. Generate new key with appropriate permissions
  3. Update all deployment environments
  4. Check git history for any committed secrets
  5. Consider repository security scan

Remember: Security is a process, not a destination. Always be vigilant! πŸ›‘οΈ