Developer Security Hub

Protect your development environment, code, and credentials. Essential security tools, guides, and best practices for developers who take security seriously.

Updated: January 2025

Quick Security Check

Three things to do right now: 1) Enable 2FA on GitHub/GitLab if you haven't. 2) Check your last 5 commits for accidentally committed secrets. 3) Use a VPN next time you're on public WiFi. Most security breaches come from simple mistakes.

Protect Your Development Traffic

Your code, API calls, and credentials travel over the network. On public WiFi, anyone can intercept them. A VPN encrypts everything, making your traffic unreadable to attackers.

Why Developers Need VPN

✓Encrypt git push/pull on untrusted networks
✓Protect API calls containing auth tokens
✓Hide browsing from ISP/network admins
✓Access region-locked dev resources

NordVPN Features

✓No-logs policy (audited)
✓Kill switch prevents leaks
✓CLI tool for developers
✓5,500+ servers in 60 countries

NordVPN

Security

Keep your browsing and dev traffic private

Try NordVPN Free

Security Threat Models for Developers

Remote Work Security

High Priority

Protect your development environment when working from coffee shops, co-working spaces, or traveling.

⚠️ Threats

•Public WiFi interception
•Man-in-the-middle attacks
•Device theft
•Shoulder surfing

✓ Mitigations

✓Always use VPN
✓Enable disk encryption
✓Use 2FA everywhere
✓Screen privacy filter

API & Credentials Security

Critical Priority

Protect API keys, tokens, and credentials from exposure or theft.

⚠️ Threats

•Accidental git commits
•Log exposure
•Environment variable leaks
•Dependency attacks

✓ Mitigations

✓Use .env files properly
✓Git hooks for secrets
✓Rotate keys regularly
✓Use secret managers

AI Tool Security

Medium Priority

Understand what happens to your code when using AI coding assistants.

⚠️ Threats

•Code sent to third parties
•Training data exposure
•Context window leaks
•Prompt injection

✓ Mitigations

✓Review privacy policies
✓Use enterprise tiers
✓Sanitize sensitive data
✓Local LLM options

Additional Security Tools

Password Manager

1Password

Secure password manager for development teams. Store API keys, credentials, and secrets safely.

✓Team sharing

✓2FA support

✓Developer-friendly CLI

✓Secret automation

Learn more →

Password Manager

Bitwarden

Open-source password manager with excellent free tier. Self-hostable for maximum control.

✓Open source

✓Free tier

✓Self-hosting

✓CLI tools

Learn more →

Authentication

Auth0

Identity platform for adding authentication to your apps. Handles OAuth, SAML, and more.

✓OAuth 2.0

✓SAML

✓Multi-factor auth

✓Social logins

Learn more →

🔐 Quick Security Checklist

Accounts & Access

☐ Enable 2FA on GitHub/GitLab
☐ Enable 2FA on cloud providers
☐ Use unique passwords (password manager)
☐ Review connected OAuth apps

Code & Secrets

☐ Never commit secrets to git
☐ Use .env files (in .gitignore)
☐ Set up pre-commit hooks
☐ Rotate API keys quarterly

Local Environment

☐ Enable full-disk encryption
☐ Keep OS/tools updated
☐ Use VPN on public networks
☐ Lock screen when away

Frequently Asked Questions

Do I really need a VPN for coding?

If you ever work from coffee shops, airports, co-working spaces, or travel, yes. Public WiFi can expose your traffic, including API calls, git operations, and credentials. A VPN encrypts all traffic, preventing interception. Even at home, a VPN adds privacy from your ISP.

Are AI coding tools safe for proprietary code?

It depends on the tool and tier. Most enterprise plans (Copilot Business, Cursor Business) explicitly don't train on your code and offer data processing agreements. Free tiers may have fewer guarantees. Always check the specific tool's data policy and consider what code you're comfortable sharing.

What's the biggest security mistake developers make?

Committing secrets (API keys, passwords, tokens) to git repositories. Even if you delete the commit, it's in the history. Use .gitignore, pre-commit hooks, and tools like git-secrets to prevent this. If you've already committed a secret, rotate it immediately.

How do I secure my local development environment?

Enable full-disk encryption, use a password manager for all credentials, enable 2FA on GitHub/GitLab, keep your OS and tools updated, use a VPN on untrusted networks, and never store secrets in plaintext files or environment variables in your shell config.

Should I use a different browser for development?

Consider it. Using a separate browser profile or browser (like Firefox for dev, Chrome for personal) isolates cookies, sessions, and potential tracking. Some developers use containerized browsers or VMs for testing untrusted code.

How do I protect API keys in my code?

Never hardcode them. Use environment variables loaded at runtime, secret management services (AWS Secrets Manager, HashiCorp Vault), or .env files excluded from git. For client-side code, use backend proxies so keys never reach the browser.