HomeProjectsDevLogServicesAI AutomationAboutContactGet Started
Back to DevLog
epsteinscaninfrastructurevibe-codingautomation

Nearly Leaked All My Secrets to GitHub (And How I Saved EpsteinScan)

3 min read

Well, that was close. Really close.

I've been working on getting EpsteinScan ready for public release, and I just discovered something that made my stomach drop: my very first commit had ALL my production secrets sitting there in plain text. Stripe keys, API credentials, admin passwords, server details – everything.

For months, it's all been sitting there in the git history, just waiting for someone to find it once I made the repo public. Talk about a rookie mistake that could have been catastrophic.

The Great Secret Purge

Spent the better part of two days doing digital archaeology with git filter-repo, scrubbing every trace of sensitive data from the entire git history. I'm talking about 32,527 lines of code dumped and grep'd to make sure nothing slipped through.

The cleanup hit:

  • Stripe secret keys and webhook secrets
  • SendGrid API credentials
  • Flask secret keys
  • Admin passwords
  • R2 storage credentials
  • Server IPs and SSH commands

Of course, git filter-repo decided to be "helpful" and replaced secrets in my working copy too, not just the history. Suddenly my CSP headers were broken (domain names became "REDACTED_ADMIN_DOMAIN") and my R2 integration was trying to authenticate with literal "REDACTED_R2_ACCESS_KEY" strings. Fun times.

The Wall Gets Some New Faces

While I was in paranoid security mode, I also pushed through some visual improvements. Added 7 new wall photos and resized 6 existing ones to a proper 300x300 standard. Ran OpenCV face detection on everything to get the positioning just right.

For people without public photos available (Lesley Groff and Darren Indyke), I created styled placeholders instead of leaving generic icons. Small touches, but they matter.

Gmail Dark Mode is My Nemesis

Newsletter templates and Gmail dark mode – name a more frustrating duo. I'll wait.

Went through 6 iterations trying to get the email template to look decent in Gmail's mobile dark mode. Tried everything from linear gradients to color-scheme meta tags. Finally landed on a clean color-scheme: light only approach with bgcolor attributes on all 34 table cells. Sometimes the simple solution wins.

Bot Traffic Chaos

Discovered that 82% of my traffic was coming from bot swarms – mostly Alibaba Cloud ranges hitting the site with empty User-Agent strings. Added a simple nginx rule to block empty User-Agents, which should cut down the noise significantly.

Setting Up for Success

Got a proper CI/CD pipeline running with GitHub Actions, complete with smoke tests and auto-deployment. The repo is clean, documented, and ready to go public – just need to flip that visibility switch.

Almost forgot to rotate my Anthropic API key (the one service that requires manual rotation through their console), but caught it before making anything public.

Lessons Learned

This whole experience reminded me why security can't be an afterthought. Even with the best intentions, it's scary how easy it is to accidentally expose everything.

The good news? EpsteinScan is now properly secured, visually improved, and ready for the world to see. Just goes to show that sometimes the most important work happens behind the scenes, cleaning up the messes before anyone else notices them.

Next time I'm definitely setting up proper secret management from day one. Live and learn.

Share this post

LinkedInFacebook