—

Why it Matters

API keys, access tokens, and other credentials should never be stored in the Magento database or in plaintext configuration fields within the Admin UI. If compromised, attackers could dump the DB and extract keys for payment gateways, shipping providers, or marketing integrations.

Storing API keys in app/etc/env.php keeps them outside the database, under file system and deployment controls. This makes key rotation easier, prevents accidental leaks in DB backups, and aligns with secure secrets management practices.

Verification Steps

# Look for API keys stored in core_config_data
mysql -e "SELECT path, value FROM core_config_data WHERE path LIKE '%api%key%';"

# Expected: no plaintext API keys in DB

# Inspect app/etc/env.php
grep -i "api" app/etc/env.php

# Expected: keys defined here instead of DB

Remediation / Fix Guidance

1. Move all API keys from core_config_data into app/etc/env.php.
2. Reference env.php values in config.php or modules instead of DB-stored settings.
3. Ensure env.php is excluded from version control (.gitignore).
4. Rotate any keys that were previously stored in plaintext in the DB.
5. For higher security, integrate with a secrets manager (Vault, AWS Secrets Manager, Azure Key Vault) and inject keys into env.php during deployment.

Examples

# core_config_data entry
path  = payment/stripe/api_key
value = sk_live_abc123   # FAIL: plaintext in DB

# app/etc/env.php
'stripe' => [
  'api_key' => 'sk_live_abc123'
]
# PASS: key stored in env.php, not DB

References

• OWASP Top 10 — A02: Cryptographic Failures
• OWASP — Secrets Management