Secrets (passwords, API keys, certificates) need special handling.
Anti-patterns:
- Secrets in code or Git
- Secrets in environment variables (can leak through logs and child processes)
- Shared secrets across environments
Best practices:
- Use a secrets manager (Vault, AWS Secrets Manager, GCP Secret Manager)
- Rotate secrets regularly
- Audit secret access
- Short-lived credentials where possible
HashiCorp Vault:
- Centralized secrets management
- Dynamic secrets (generated on demand)
Interview question: "How do you manage database credentials?"
Store in Vault. Applications fetch at runtime. Rotate regularly.