Which of the following is NOT a way to keep your access token safe?
- Rotate your access tokens every six months
- Store access tokens in an .env file
- Keep your access tokens in a GitHub repository
- Routinely check call logs for any suspicious activity
Explanation: The selected answer, ‘Keep your access tokens in a GitHub repository,’ is correct because storing access tokens in a public or even private GitHub repository poses a significant security risk. Access tokens are sensitive pieces of information that grant access to resources or services, and exposing them in a version-controlled repository, such as GitHub, makes them vulnerable to unauthorized access or exploitation by malicious actors. GitHub repositories are often subject to scrutiny by automated bots or attackers scanning for sensitive information, including access tokens, which, if leaked, can lead to unauthorized access to the associated accounts or resources. Therefore, keeping access tokens in a GitHub repository violates basic security principles and increases the likelihood of a security breach. In contrast, rotating access tokens regularly, storing them securely in environment variables (e.g., .env files), and monitoring call logs for suspicious activity are all valid practices for safeguarding access tokens and maintaining the security of API integrations. Rotating access tokens periodically helps mitigate the impact of potential token leaks, storing tokens in environment variables reduces the risk of accidental exposure, and routinely monitoring call logs allows for the detection of unauthorized access or unusual behavior, contributing to overall access token security. Therefore, avoiding storing access tokens in GitHub repositories is crucial for preventing security incidents and ensuring the confidentiality and integrity of sensitive authentication credentials.