Skip to content

Externalize sandbox secrets & harden security logging (STA-245) #249

Description

@Puneethkumarck

Summary

PR #248 review identified critical security issues — hardcoded secrets in docker-compose.sandbox.yml and insecure logging defaults that leak PII and crypto details.

Issues to Fix

Critical — Secret Externalization

  1. Stripe webhook secret hardcoded (docker-compose.sandbox.yml:225)

    • APP_PSP_STRIPE_WEBHOOK_WEBHOOK_SECRET: "whsec_2103ca6a..." committed to source control
    • Action: Replace with ${STRIPE_SANDBOX_WEBHOOK_SECRET}, rotate the leaked secret in Stripe dashboard, add to .env.sandbox
  2. EVM private key hardcoded (docker-compose.sandbox.yml:260)

    • APP_CUSTODY_DEV_EVM_PRIVATE_KEY: "4b59e111..." committed to source control
    • Action: Replace with ${CUSTODY_DEV_EVM_PRIVATE_KEY}, generate new sandbox wallet, fund it, invalidate old key, add to .env.sandbox
  3. Create .env.sandbox.template with placeholder values (committed) and .env.sandbox (gitignored) for actual secrets

Major — Logging Security

  1. External API logging enabled by default (docker-compose.sandbox.yml — 7 occurrences)

    • APP_EXTERNAL_API_LOGGING_ENABLED: "true" logs full request/response payloads including PII and provider API keys
    • Action: Default to "false", enable only per-service for targeted debugging
  2. Crypto stack trace logging (GlobalExceptionHandler.java:65)

    • log.error("Custody signing error: {}", ex.getMessage(), ex) logs full stack from JWT signing / crypto operations
    • Action: Remove throwable parameter — log only ex.getMessage(), no stack trace for signing path

Acceptance Criteria

  • No hardcoded secrets in any committed file
  • .env.sandbox.template committed with placeholder values
  • .env.sandbox in .gitignore
  • Old Stripe webhook secret rotated
  • Old EVM private key invalidated, new wallet funded
  • External API logging defaults to false
  • CustodySigningException handler logs message only, no stack trace
  • All existing tests pass

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    cross-cuttingAffects all servicesp0-blockerProduction blockersandboxSandbox / testnet integrationsecuritySecurity hardening

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions