On line 84 we're told to use environment variables for a secret key:
A secret cryptographic key Not to confuse with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as an environment variable.
Avoid storing keys in environment variables, as these can be accidentally exposed through functions such as phpinfo() or through the /proc/self/environ file.
How should this be resolved?
One option is to change to:
A secret cryptographic key Not to be confused with the random value from the naive implementation. This value is used to generate the HMAC hash. Ideally, store this key as discussed in the Cryptographic Storage Page.
Yeah, this is clearly an out of date recommendation. If you're willing to make a PR to update it that would be awesome. If not just let me know and I can handle it.
What is missing or needs to be updated?
On line 84 we're told to use environment variables for a secret key:
However at Cryptographic_Storage_Cheat_Sheet.html#key-storage, we're told to not use environment variables
How should this be resolved?
One option is to change to: