Python › Module 4 › Lesson 2
Secrets, Ethics & Scope
Never hardcode API keys, never scan without permission, and keep scripts out of gray zones
Opening
Skill without rules is a liability
You can now open sockets, fetch URLs, and parse logs. That is exactly enough capability to cause legal and career damage if misused. This lesson locks the habits that separate practitioners from script kiddies.
1. Secrets Handling
No keys in git
Use environment variables or a secret manager—not literals in .py files.
Rotate when exposed
If a key leaked in a screenshot or repo, revoke it immediately.
Least privilege tokens
API tokens should only allow what the script needs.
Read a secret from the environmentimport os api_key = os.environ.get("SOC_API_KEY") if not api_key: raise SystemExit("Missing SOC_API_KEY")
import os
api_key = os.environ.get("SOC_API_KEY")
if not api_key:
raise SystemExit("Missing SOC_API_KEY")2. Ethics & Scope
Only test systems you own or have written authorization to assess. localhost and personal lab VMs are your sandbox. Corporate production, random websites, and classmates’ laptops are not. Document intent. Prefer defensive automation. When learning offensive techniques, keep them in labs.
Authorization is a control
A PDF or ticket that says you may test host X on date Y beats “but I was curious.”
Knowledge Check
API keys in public git repos are:
Multiple choice
Knowledge Check
True or False: Written authorization matters for scanning beyond your lab.
True or False
Knowledge Check
os.environ.get("SOC_API_KEY") helps you:
Multiple choice