How to Rotate Production Secrets

Enterno.io Editorial Team

By Anatoly Oshmanovsky · Updated Apr 18, 2026

Key idea:

Secret rotation in 2026: (1) Enumerate all secrets (DB passwords, API keys, JWT, OAuth client secrets), (2) Central store — AWS Secrets Manager ($0.40/secret/mo), HashiCorp Vault (self-host), Doppler ($5/user), (3) Automatic rotation via Lambda/GitHub Actions, (4) Zero-downtime: dual-read period with old + new keys. After incident — rotate ALL related secrets within an hour.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

Inventory: run trufflehog / gitleaks to find all secrets in codebase + git history
Migrate to a secret manager (Vault / AWS SM / Doppler) — remove from .env committed to git
App load: fetch at boot from secret manager, cache in memory (not disk)
Rotation policy: 90 days for long-lived, 24h for high-privilege API keys
Auto-rotation: AWS SM Lambda, Vault PKI engine — generate new key, deploy, revoke old
Dual-read grace period: 5-60 minutes where app accepts both old and new
Post-incident: rotate ALL keys in blast radius within an hour

Working Examples

Scenario	Config
AWS Secrets Manager (Node)	`const { SecretsManager } = require('@aws-sdk/client-secrets-manager'); const sm = new SecretsManager(); const res = await sm.getSecretValue({ SecretId: 'prod/db/password' }); const { password } = JSON.parse(res.SecretString);`
Vault Agent sidecar (K8s)	`# Pod annotation vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "my-app" vault.hashicorp.com/agent-inject-secret-db: "database/creds/my-app"`
Auto-rotate schedule	`# AWS SM resource resource "aws_secretsmanager_secret" "db" { name = "prod/db" rotation_rules { automatically_after_days = 30 } rotation_lambda_arn = aws_lambda_function.rotator.arn }`
trufflehog scan	`# Scan git history for secrets $ docker run -v $(pwd):/repo trufflesecurity/trufflehog:latest \ git file:///repo --only-verified`
Dual-read pattern	`const current = await loadSecret('api-key-current'); const previous = await loadSecret('api-key-previous'); function verify(token) { return verifyWith(token, current) \|\| verifyWith(token, previous); }`

Common Pitfalls

Rotation without grace period → 5 min outage (all connections rejected) — deploy old+new first
Logging secrets to error tracker (Sentry, Datadog) — one exception + process.env → leak
Manual quarterly rotation → you will forget. Automate or use short-lived tokens (15 min)
Secrets in Dockerfile ENV — end up in image layers, visible to anyone with pull access
Cached secrets on disk → survive restart, attacker on instance reads them. In-memory only

HeadersCSP, HSTS, X-Frame-Options, etc.

SSL/TLSEncryption and certificate

ConfigurationServer settings and leaks

Grade A-FOverall security score

Why teams trust us

OWASP

guidelines

15+

security headers

<2s

result

A–F

security grade

How it works

Enter site URL

Security headers analyzed

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

❌

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.

❌

Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.

❌

Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.

❌

X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.

❌

Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

✓

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.

✓

Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.

✓

Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.

✓

Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.

✓

Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Learn more

How-to

Glossary

Alternatives

Sentry Alternatives

Frequently Asked Questions

How often to rotate?

High-privilege API keys — 24-72h (JIT). Service credentials — 30-90d. Human passwords — 90d + MFA. After incident — immediately.

Vault or AWS SM?

Vault: self-host, universal (not only AWS), $0 if self-hosted. AWS SM: managed, tight AWS IAM integration, $0.40/secret/mo. Cloud-native → SM, multi-cloud → Vault.

Short-lived credentials?

Best practice 2026 — AWS STS AssumeRole (1h), GitHub OIDC federation (no static AWS keys), Workload Identity (K8s). Reduces rotation overhead.

How to check for leakage?

GitHub secret scanning enabled, trufflehog in CI, Shodan alerts for your IPs. <a href="/en/security">Enterno Security Scanner</a> for sensitive file disclosure.