We're making an app using PHP and using some third party services that require a secret API key. We have a PHP file that contains all those keys definitions that we then import (using require_once) when needed.
Is this approach safe? Should we store the keys in a different place?
Thank you.
It should be relatively safe as long as the file is not accessible from the web. A lot of sites will place sensitive files outside of the webroot on the server, and simply include them when needed into their app.
Something similar was asked today for a shell script. The answer is valid here as well: Make sure you store the file outside the web root, or (if that's not possible) protect it using a .htaccess file.
I also like to unset() any variables containing sensitive data after use, so not even a full variable dump (e.g. in a debug message) later in that script could reveal it.
I always set the permissions of certificates and other files containing sensitive data such that only my development team and the apache service can access the file. This is important if you are using a server shared by a large organization, like a university, where lots of people might have permissions to the file by default. Often I've seen read permissions given to everyone so that the web server can access the file(since it is neither the owner nor in the group permission for the file, the only thing left is to give read to "other").
Instead, I ensure there is a group containing only my development team, and set the read/write permissions for the file to that group. I then use ACL to add a read permission for the APACHE service. You have to use an ACL since the owner and group are normally set to a developer and development team group, leaving you no options for setting access for apache other than using ACL.