Is it safe to store proxy IP address and port in a shell config file on github? I see some people doing that and don't worry about it.

  • 145
  • 1
  • 6
  • 101

2 Answers2


It's probably not something devastating, but it's certainly unwise. Ignoring an attacker using it for discovery (and someone will someday), the bigger issue is storing configuration files in your SCM poses a future threat.

Whatever infrastructure you have will grow and evolve. Someday someone will put something sensitive (passwords, username, keys) into those configuration files without thinking twice. As soon as they run 'git push', the horse has left the barn.

  • You can also put passwords in source code (and many people do), but that doesn't mean we shouldn't check code into version control. You just need to have appropriate ways of pulling in secrets from external sources, and be careful of what you commit (ideally with code review and an additional set of eyes). – Xiong Chiamiov Nov 19 '16 at 16:16

Aside from the excellent points Josh raises, you might also want to consider the organizational implications.

Proper security etiquette is raising users' sensitiveness to the fact that publishing confidential information is a bad thing.

Hence, many organizations (employees, research institutes, universities...) make new users sign something that clearly explains that, under no circumstances, they're allowed to share access information or credentials with some third party. By pushing things to github, you'd be demonstratively breaking that contract.

Please feel a little more concerned with what you really need to share with the world, vs. what feels "comfortable". At least use a private repository (this doesn't apply to github only, but also to bitbucket, gitlab, sourceforge, and the million other file/code storage services out there).

I agree with Josh, proxy addresses are probably not what I'd call confidential information – but next thing you know, someone's pushing internal email addresses, API tokens for services the company uses, or just plain good ol' employee names. Let alone things like passwords. Because at the time someone figures out you've shared critical information, and potentially caused damage to the company that way, your least concern is how easy you can restore your shell config on another PC.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27