C

Python › Module 4 › Lesson 2

BeginnerModule 4Lesson 2/4

Secrets, Ethics & Scope

Never hardcode API keys, never scan without permission, and keep scripts out of gray zones

15 min+52 XP3 quiz
Module progress2 of 4
🔒
Scope · Secrets · Authorization

Opening

Skill without rules is a liability

You can now open sockets, fetch URLs, and parse logs. That is exactly enough capability to cause legal and career damage if misused. This lesson locks the habits that separate practitioners from script kiddies.

1. Secrets Handling

  • No keys in git

    Use environment variables or a secret manager—not literals in .py files.

  • Rotate when exposed

    If a key leaked in a screenshot or repo, revoke it immediately.

  • Least privilege tokens

    API tokens should only allow what the script needs.

Read a secret from the environmentimport os api_key = os.environ.get("SOC_API_KEY") if not api_key: raise SystemExit("Missing SOC_API_KEY")

import os

api_key = os.environ.get("SOC_API_KEY")
if not api_key:
    raise SystemExit("Missing SOC_API_KEY")

2. Ethics & Scope

Only test systems you own or have written authorization to assess. localhost and personal lab VMs are your sandbox. Corporate production, random websites, and classmates’ laptops are not. Document intent. Prefer defensive automation. When learning offensive techniques, keep them in labs.

Authorization is a control

A PDF or ticket that says you may test host X on date Y beats “but I was curious.”

Knowledge Check

1

API keys in public git repos are:

Multiple choice

Knowledge Check

2

True or False: Written authorization matters for scanning beyond your lab.

True or False

Knowledge Check

3

os.environ.get("SOC_API_KEY") helps you:

Multiple choice

← Previous

Answer all 3 knowledge checks to continue. (0/3 answered)