flowCreate.solutions

Data Handling & Secrets (Backend Standard)

This document defines lightweight, baseline rules for:

  • secret handling (especially .env usage)
  • PII handling and logging safety

Secrets and environment variables

.env files (local-only)

Standard:

  • .env files are local development only.
  • .env files must be in .gitignore (or equivalent) in every repo.
  • Repos must provide a committed .env.example (placeholders only; no real secrets).

Production/deployed environments

Standard:

  • Production/deployed environments must provide configuration via a managed “variables” section (environment variables) in the deployment platform.
  • Do not rely on .env files in production.
  • Do not store secrets in source control, Docker images, or baked build artifacts.

Never commit secrets (non-negotiable)

Do not commit:

  • API keys, tokens, passwords, private keys
  • real customer data exports
  • production database URLs

Use CI secrets scanning (e.g., gitleaks) and treat findings as urgent.

PII handling (baseline)

What counts as PII (examples)

PII includes (not exhaustive):

  • email addresses, phone numbers
  • names when tied to a person
  • physical addresses
  • government identifiers
  • IP addresses (treat as sensitive operational data)

Minimize PII

  • Only collect/store PII that the product needs.
  • Prefer storing references/ids over raw PII when possible.
  • Keep retention policies project-specific, but default to “retain the minimum”.

Logging rules (PII + secrets)

Hard rules

  • Do not log secrets (passwords, tokens, API keys).
  • Do not log full JWTs (log last 4 chars at most).
  • Do not log raw request bodies by default.
  • Treat X-Request-Id as safe to log (it’s required for correlation).

Redaction approach

When you must log a payload for debugging:

  • log only whitelisted fields
  • redact known sensitive keys (e.g., password, token, api_key, authorization, email, phone)
  • prefer logging counts/summaries over raw values

Where the standard lives

  • Logging structure + correlation IDs: see Observability (docs/backend/03_development/observability.md)
  • Logging usage and sensitive data reminders: see Logging (docs/backend/03_development/logging.md)