惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
Recorded Future
Recorded Future
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The GitHub Blog
The GitHub Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
Y
Y Combinator Blog
N
News | PayPal Newsroom
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Help Net Security
Help Net Security
博客园 - Franky
SecWiki News
SecWiki News
Recent Announcements
Recent Announcements
T
Troy Hunt's Blog
The Register - Security
The Register - Security
The Last Watchdog
The Last Watchdog
Webroot Blog
Webroot Blog
S
Security Affairs
博客园 - 司徒正美
S
Schneier on Security
I
InfoQ
博客园_首页
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Forbes - Security
Forbes - Security
腾讯CDC
N
Netflix TechBlog - Medium
N
News and Events Feed by Topic
Cloudbric
Cloudbric
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
A
About on SuperTechFans
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
B
Blog
V
Vulnerabilities – Threatpost
C
Check Point Blog
Google DeepMind News
Google DeepMind News
Google Online Security Blog
Google Online Security Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
Schneier on Security
Schneier on Security
O
OpenAI News
K
Kaspersky official blog

Netlify Changelog

Gemini 3.5 Flash now available in Agent Runners 4 Nuxt CVEs: what Netlify users need to know Gemini 3.5 Flash now available in AI Gateway Agent Runners workflow improvements Next.js & React security release (May 2026): what to know Block project transfers out of your team Gemini 3.1 Flash-Lite now available in AI Gateway OpenAI GPT-5.5 Instant now available in AI Gateway New `netlify logs` CLI command Deploy to Netlify with Stripe Projects Netlify Database is now generally available OpenAI GPT-5.5 and GPT-5.5 Pro in AI Gateway & Agent Runners Rename an agent run GPT Image 2 now available in AI Gateway New frontend-design skill for Agent Runners Claude Opus 4.7 now available in AI Gateway and Agent Runners Pricing updates for Credit-based plans New sorting and filter controls on the Members page Netlify Database GA coming soon, no new databases for now Deploy logs streaming is now faster Netlify CLI adds prompt-based creation and anonymous deploys Deploy from Codex with the Netlify Plugin Hydrogen with React Router 7 now supported on Netlify Monitor credit usage by day Invoices for Enterprise Available on the Billing Page AI app development on production infrastructure with Netlify Introducing Prompt Templates OpenAI GPT-5.4 Nano and GPT-5.4 Mini in AI Gateway Change your pricing plan Internal Builder Role & Project Access Controls See your available credits at a glance Astro 6 just works on Netlify Limit AI feature usage OpenAI GPT-5.4 and GPT-5.4 Pro in AI Gateway & Agent Runners Deploy Preview screenshots in agent runs Gemini 3.1 Flash-Lite Preview now available in AI Gateway GPT-5.3 Instant now available in AI Gateway Use Netlify Agent Runners from Linear Automatic PHP bot scan blocking now live on all plans Support for stale-while-revalidate in Cache API Gemini 3.1 Flash Image Preview now available in AI Gateway GPT-5.3-Codex now available in AI Gateway Gemini 3.1 Pro Preview now available in AI Gateway Claude Sonnet 4.6 now available in AI Gateway and Agent Runners Sync changes with Agent Runners without Git Claude Opus 4.6 now available in AI Gateway and Agent Runners Agent Runners improvements recap 6 new React Router & Remix CVEs: what you need to know Vulnerability in Node.js: what Netlify users need to know 5 SvelteKit security vulnerabilities: what Netlify users need to know GPT-5.2-Codex Now Available in AI Gateway and Agent Runners Play Games While Agent Runners Do the Work Prerender.io support updated as new extension Gemini 3 Flash Preview now available in AI Gateway GPT-image-1.5 now available in AI Gateway AI Gateway now Generally Available Observability release is here Prerender extension now generally available Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183 GPT-5.2 and GPT-5.2-Pro now available in AI Gateway and Agent Runners GPT-5.1-Codex-Max now available in AI Gateway and Agent Runners Netlify’s response to the critical React security vulnerability Netlify Vite Plugin now supports AI Gateway locally Claude Opus 4.5 now available in AI Gateway Projects deployed using a zip file via API now support branch deploys Day one support for Angular v21 on Netlify Gemini 3 now available in AI Gateway and Agent Runners DNS record management simplified for teams in Netlify organizations Skew protection for CLI workflows Support for more domain TLDs GPT-5.1 model now available in AI Gateway React Router 7 apps can now be deployed to Edge Functions | Netlify Changelog Git SHA exposed for triggered deploys | Netlify Changelog Test scheduled functions in Netlify dashboard | Netlify Changelog Revert agent run in a task | Netlify Changelog Deletion improvements with Netlify Blobs | Netlify Changelog Preview Server restart for cross-functional collaborators | Netlify Changelog AI inference usage graphs | Netlify Changelog Buy credit packs on demand | Netlify Changelog React Router 7 middleware now supported | Netlify Changelog Skew protection now available | Netlify Changelog Next.js 16 is ready to deploy on Netlify | Netlify Changelog Enforce Git-based workflows for production deploys | Netlify Changelog Claude Haiku 4.5 is now available in the AI Gateway | Netlify Changelog GPT 5 Pro now available in the AI Gateway | Netlify Changelog Updates to credit-based Personal and Pro plans | Netlify Changelog New AI workflows: Agent Runners and AI Gateway (beta) | Netlify Changelog Netlify pricing update: Introducing credit-based plans | Netlify Changelog Security Update: Multiple vulnerabilities in Next.js | Netlify Changelog ChatGPT deep link for failed deploy analysis | Netlify Changelog Equinix IP address expiring for 4-year old sites | Netlify Changelog Nuxt 4 support + new @netlify/nuxt module for local dev | Netlify Changelog Smart Secret Scanning for AI-Generated Code | Netlify Netlify DB: Serverless PostgreSQL Database | Netlify One-click install Netlify MCP on Cursor | Netlify Changelog Netlify MCP Server: AI Agents Can Now Deploy Code Directly | Netlify Netlify Becomes Official Vite Deployment Partner + New Plugin | Netlify Angular 20 support | Netlify Changelog Netlify CLI 21.4.1 UI and workflow enhancements | Netlify Changelog Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 | Netlify Changelog
Introducing Secrets Controller: Proactive Security for Secret Keys
Nahrin Jalal · 2023-08-22 · via Netlify Changelog

Shipping fast and shipping securely don’t have to be at odds. A critical component of your site’s security posture is handling secret and sensitive values. Handling sensitive values in a controlled manner allows your team to focus on shipping customer value without slowing down to manage the risk of using environment variables within your site. That’s why we are introducing Netlify Secrets Controller, to help your team ship faster — securely.

Securing your secret keys

Secrets Controller is a new feature set from Netlify that provides a stricter access control policy, improved logging safety, and proactive secret scanning to find variables that your site might be exposing. These added layers greatly reduce the business risk of inadvertent or malicious exposure of your site’s secret values (e.g. database passwords or vault keys). Let’s see how that works and how these improvements impact your team.

Watch the 1-minute demo video

Secure handling of secret values with environment variables

As the ubiquitous method for providing variable settings to your applications, secure handling of secret values centers around environment variables. When you add or update an environment variable in Netlify, you can mark if it “contains sensitive values.” From there, all of the capabilities of Secrets Controller are applied to any variable marked this way.

Benefits of marking environment variables as secret values

What happens with these environment variables when they are marked as secret?

  • An opinionated secrets policy is applied to them to ensure only code running on Netlify can access the raw values after they are set.
  • Secret values are masked in build logs.
  • During builds, Netlify scans the built site and repo code to find permutations of the secrets that might be embedded and stops the build from being published.

On-Demand Webinar

Access control for your secret keys

Not all environment variables are created equal. Some are simple settings while others are incredibly sensitive. Some very common examples:

  • Database passwords
  • API keys to a credentials vault
  • Secret keys to connect to your storage layers
  • Encryption/Signing keys

These environment variable values represent some of your site’s most sensitive pieces of data. How you handle these secrets can either increase your team’s velocity or slow it down due to added risk. At worst, the ability to control access can lead to a security incident impacting your business. Just recently, Microsoft announced that a stolen Azure AD signing key was used to breach the Exchange Online and Azure AD accounts of two dozen organizations.

With Secrets Controller, the environment variables containing sensitive values will be held to a clear and opinionated policy about how they can be used and accessed. This policy is based on industry best practices that puts constraints on secrets such that there’s no way for them to be accessed outside of your code running on Netlify.

Key parts of the secrets policy:

  • Secret values are write-only. After setting a value, the UI, CLI, and API will no longer provide a human-readable, unmasked version of the value.
  • Only code running on Netlify’s systems can read the original, unmasked values.
  • The policy cannot be overridden and settings cannot be manipulated to allow the value to be human-readable from the UI, CLI, and API.

The complete policy promotes defense-in-depth security with strict layers for your team to build against. When your team creates a secret value, they will know how it can be accessed and, more importantly, the ways it cannot be accessed. With Netlify Secrets Controller, there’s no additional permissions to manage or ensure are sufficiently strict. There’s no accidentally leaving the secret value open, and there is now a clear understanding that only builds/deploys on Netlify can possibly access the values. When your team goes through auditing exercises, the Secrets Controller policy will save your team valuable time and let them focus their efforts on other areas.

Consequences of mishandling environment variables

As your team is developing new features or debugging existing ones, they are focused on solving the feature problems at hand. For one reason or another, teams eventually find themselves in the position that secrets ended up in the wrong place. If this happens, the time it takes to detect the exposure and then mitigate the impact are paramount to the amount of damage this exposure could potentially cause to your customers or the business.

Let’s take a look at a case that’s painfully easy to do:

App Settings We have a website that has a few configurations for feature flags. This site sets the flags via environment variables. During our build, we’ve been manually injecting these values into the site as follows:

flags.FEATURE_FLAG_A = process.env.FEATURE_FLAG_A;

flags.FEATURE_FLAG_B = process.env.FEATURE_FLAG_B;

After the build, the website’s public, client code has these flags injected into it.

At some point in the future, a developer gets tired of doing this process and wants to streamline it so that feature flags automatically appear in the client when defined. The above code is changed to:

flags = {...process.env};

After the build, the website’s public, client code will have all of the flags set as environment variables automatically, just as the developer intended. However, it will also have any other environment variables that are set as well.

There are two realities that this could represent: 1) the developer might not have realized this over injection and publicly exposed secrets or 2) the developer knew this would inject all environment variables but is expecting they should only be used for feature flags on this site. Then one day, another developer or business stakeholder adds a secret environment variable to the site or team. Not knowing this assumption in this site, the next deploy will publicly expose secrets.

Yikes! That was so easy to do!

Netlify Secrets Controller: automatic secret scanning

With Netlify Secrets Controller, after the build completes but before the site is deployed, Netlify’s build system will automatically search for the existence of this site’s secrets in the code repo pulled to create the site and the build output. If the secret scanning finds a secret, it will fail the build and inform the developer of what environment variable secret was found in the repository or build output. It will also tell the developer where to find it in that file.

Proactive protection with Netlify Secrets Controller

Going back to our example of two realities above: 1) if the developer’s change immediately started injecting secrets, the build would have been blocked automatically preventing secrets exposure. Or 2) the next build and deploy after a stakeholder added a secret environment variable would have also resulted in a blocked build to prevent exposure of the secret variable values.

Automatic secret scanning provided by Netlify Secrets Controller gives you proactive protection to prevent and/or stop ongoing exposure of your business’ secret environment variable values.

Enhanced security with Netlify Secrets Controller unlocks speed

When you put all of these capabilities together, Netlify Secrets Controller allows your team to rely on clear boundaries where secrets can be accessed and proactive protections to make sure those values aren’t put in places that can be easily exposed to outside actors or internal teams. These layers of protections allow teams to build with confidence and that means they are building faster and more securely.

Ship **it Securely with your team

If you’re a current enterprise customer, all you need to start using Secrets Controller is to start marking your environment variables as secrets if they contain sensitive values. From that point, all of the benefits of Secrets Controller are automatically enabled — including proactive secrets scanning.

If you’re not a Netlify Enterprise customer, reach out to our team for a custom demo.

If you’re trying to figure out how to take advantage of Secrets Controller and the various options available to suit your unique needs, visit our Secrets Controller docs.