Infisical’s security model includes many considerations and initiatives.
/environment-variables
path in the production environment of a project. If the token is tried for another project, environment, or path outside of its permission set, then it is rejected by the API.
It should also be noted that projects in Infisical can be configured to restrict service token access to specific IP addresses or CIDR ranges; this can be useful for limiting access to traffic coming from corporate networks.
In the event of compromise, an attacker could use a service token to access the secrets that it is provisioned for. It would be critical here for project administrator(s) to revoke the token immediately to prevent further unintended access to resources; it would also be advisable currently to transfer secrets to a new project where a new project key is created on the client-side.
run/secret
command will utilize the saved secrets, even when offline, on subsequent fetch attempts to ensure that you always have access to secrets.
HttpOnly
cookies and included in future requests to /api/token
for JWT token renewal.
0.0.0.0/0
entry, representing all possible IPv4 addresses. For enhanced security, we strongly recommend replacing the default entry with your client IPs to tighten access to your secrets.