Environments & Security Exercises
Fill in the blanks to test your knowledge.
Access an environment variable in Node.js
Set NODE_ENV to production in a shell environment
NODE_ENV=production node server.js
Hash a password using bcrypt with a salt round of 10
Verify a bcrypt password against a stored hash
Sign a JWT with a secret and 1-hour expiry
Set the HTTP header that prevents clickjacking
res.setHeader('', 'DENY');
Specify the Docker base image for a Node 20 app
node:20-alpine
Expose port 3000 in a Dockerfile
3000
Pass an environment variable into a Docker container at run time
docker run DATABASE_URL=$DATABASE_URL myapp
Add the .env file to .gitignore to keep secrets out of version control
echo >> .gitignore
In a .env file, environment variables are set as KEY=___ pairs without quotes (for simple values)
DATABASE_URL=postgres://localhost:5432/mydb
API_KEY=
NODE_ENV=production
In Node.js, read an environment variable using the process.___ object
A Docker ___ file defines how to build a container image layer by layer
# Example
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
CMD ["node", "index.js"]
In a GitHub Actions workflow, a job step that runs shell commands uses the ___ keyword
steps:
- name: Install dependencies
: npm install
- name: Run tests
: npm test
The OWASP Top 10 vulnerability where untrusted data is sent to an interpreter is called ___
// Vulnerable: SQL
const query = "SELECT * FROM users WHERE id = " + userId;
// Safe: Parameterized query
const query = "SELECT * FROM users WHERE id = $1";
db.query(query, [userId]);
HTTPS uses ___ (Transport Layer Security) to encrypt data between client and server
// handshake (simplified)
// 1. Client → Server: "Hello, I support TLS 1.3"
// 2. Server → Client: Certificate + public key
// 3. Client verifies certificate, sends session key
// 4. Encrypted communication begins
JWT stands for JSON Web ___, a compact token format for transmitting claims between parties
Infrastructure as Code uses ___ files to define cloud resources declaratively rather than through manual UI clicks
The principle of ___ privilege means granting only the minimum permissions required for a task to function
In CI/CD, a ___ pipeline runs automatically whenever code is pushed, typically running tests and deploying on success
# GitHub Actions trigger
on:
:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm test
In Kubernetes, a ___ stores sensitive data like API keys as base64-encoded values and can be mounted into pods
apiVersion: v1
kind:
metadata:
name: ai-api-keys
namespace: inference
type: Opaque
stringData:
openai-api-key: "sk-your-key"
A Kubernetes NetworkPolicy with an empty ___ selector applies to ALL pods in the namespace
In Kubernetes RBAC, a ___ defines permissions within a namespace, while a ClusterRole applies cluster-wide
apiVersion: rbac.authorization.k8s.io/v1
kind:
metadata:
name: secret-reader
namespace: inference
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
In HashiCorp Vault, store a secret using the ___ command with the kv-v2 secrets engine
# Store an AI API key in Vault
vault put secret/ai/openai \
api-key="sk-your-openai-key"
# Read it back
vault get -field=api-key secret/ai/openai
A Vault policy uses the ___ keyword to define which operations are permitted on a secret path
path "secret/data/ai/openai" {
= ["read"]
}
path "secret/*" {
= ["deny"]
}
The Kubernetes Pod Security Standard that prevents privilege escalation and requires non-root execution is called ___
# Label a namespace with the most secure PSS level
apiVersion: v1
kind: Namespace
metadata:
name: inference
labels:
pod-security.kubernetes.io/enforce:
In Vault, the ___ auth method allows Kubernetes pods to authenticate using their ServiceAccount token
# Enable the auth method
vault auth enable
# Bind a ServiceAccount to a Vault policy
vault write auth//role/inference \
bound_service_account_names=inference-sa \
policies=ai-reader \
ttl=1h