Category: Security

Q: How to prevent Oauth2 app key and secret hard-coded in CakePHP?

Again Hi,

I have a small application that uses Oauth2 to interact with third party service provider. I'd like to know if there is any way to protect key/secret in source code that other people cannot access through git?

for example:

// in controller
$provider = new GOauth([
    'clientId'                => '{appKey}', //appKey
    'clientSecret'            => '{appSecret}',   //appSecret
    'redirectUri'             => ''


So far I have tried my best is to use Configure::load: (I think it is still "hard-coded")

Configure::load('my_file', 'default');

Loading configuration files

Is there a better way to protect hard-coded variables in cake? 



SOLVED cakephp security
1 Answers
Accepted by Sam Dawson

Hi Sam:

Cakephp's configuration is a way to put sensitive data to config file, but you also have to git ignore before you commit and push to git.

Another approach is to use environment variables:


$sensitive_data = (empty($_ENV('ENVIRONMENT_VARIABLE')) ? null : $_ENV('ENVIRONMENT_VARIABLE');

or in preferred Cake way (from cake 2.0+), you can access env variable by

 $sensitive_data = env('ENVIRONMENT_VARIABLE'); //returns null on empty

function env() cakephp 2.0

function env() cakephp 3.0

PHP's environment variables

Hope env() will help you.

Created: 28 Aug '16

Last Reply: 30 Aug '16

Replies: 1

Views: 1742

Votes: 0

Welcome to Aero Coding!

Aero Coding is a CakePHP-focused Q&A community for professional and enthusiast cake bakers. It's built and run by you as part of the community.

Join Now Tour

Download Cakephp

Start baking your own CakePHP application!

Cakephp All Versions