Hey everyone! In today’s Developer Diary, I’m diving into a website and GitHub audit I recently conducted for Drone Quote after the budgeting tool side project I had built for the company.
Drone Quote is a company connecting homeowners with solar and roofing companies. This was a fascinating project where I got to leverage the power of Google’s Gemini Advanced AI to help me analyze everything from SEO and site performance to code security and potential monetization strategies.
I’ll be sharing some of my prompts and interactions with Gemini, showcasing how this powerful tool assisted me in uncovering hidden issues and generating valuable insights. Ultimately, I was able to present a comprehensive audit to Drone Quote’s owner, complete with actionable recommendations to improve their online presence and business operations.
Side Note: Unfortunately, I don’t have all the images and screenshots because they had been deleted long after the meeting was over. Plus I had no idea I would be doing a developer diary at the time.
Gemini Prompt for the Website Audit
Below is the prompt I used to start working with Gemini on the website’s audit:
**Prompt begins**
I need help doing a full website audit on a website called Drone Quote located at dronequote.net.
Here is some of the information on their About page:
“We are a professional service connecting you to solar and roofing companies. We evaluate the businesses that align with our values, first and foremost, and then thoroughly screen them on their workmanship, warranties (the specifics written in the contract not the stuff they advertise), licensing & insurance information, and public court records.
We then work with homeowners such as yourself who are looking for solar or roofing services and we help them navigate the buying process for the respective service.
How We Get Paid
NOT by selling your information, first and foremost.
We partner with reputable solar and roofing companies to provide our clients with a choice of businesses that fit their needs. The company that you choose pays a portion of the profits for the professional business introduction through our services. We believe in the H.I.T approach in cultivating relationships, Honesty, Integrity, Trust.
What About the Drones?
I began using drones in 2013 to provide a more efficient way to provide solar quotes increases accuracy. I launched our company in 2017 with the specific focus to utilize drone technology because they’re a magnificent tool for solar and roofing.
We perform before and after drone surveys, so you have a very clear idea of what took place on your roof and that it was installed to a high standard for guaranteed satisfaction.
The service provided by DroneQuote allows for thorough and clear communication as the accountability partner between you and the professional company you selected, ensuring the highest quality work possible.”
The website has a blog that is focused on attracting visitors who are interested in everything solar power and anything else related to that industry. They also have a YouTube channel that does the same.
I need to audit everything from SEO to site performance and anything else deemed important. I have access to the website’s Google Analytics and the website’s Google Search Console. I need you to lay out a detailed walkthrough of how I should approach this and what information and data I should focus on.
For instance, I have already found issues with the website not being mobile-friendly. I’ve also found some issues with the blog articles (bad links, bad SEO practices, etc.). I need to present this to the owner of the website by the end of the week (Friday).
Please provide any free tools I can use to also help with the audit. I also need to be able to find ways to save on costs and find ways to monetize the website.
As an example, the site has a page with an article called “Best Heat Pumps in 2024: A Consumer’s Guide” but they are not taking advantage of any affiliate marketing.
They also have an email subscriber box on the website but I highly doubt it is optimized for attracting anybody to sign up for their email list. Maybe they can offer some kind of free product/source to entice their visitors to sign up.
The owner has a team of salespeople and drone pilots who sign up through Drone Quote, etc. My concern has more to do with the website as that is an integral part of the business.
Unfortunately, the website is not optimized correctly and runs using a variety of technologies such as React, Node.js, Svelte, Firebase, and Express. He has one developer who handles the GitHub codebase and builds products for him and the company has team of writers as well as salespersonnel.
I believe after I bring him indisputable proof of how his website is not living up to its potential and how he can fix it, that in the end, he will become more knowledgable and confident on how he should proceed moving forward.
I’m also trying to save him on developer costs and blog writing costs, as well as showing him how to maintain his website with industry standard best practices. I would also like to present him with plans to take his website mobile (iOS/Android).
**Prompt ends**
GitHub Repository Audit
With Gemini’s help on the website audit, I focused on four key areas: SEO, Accessibility, Performance, and Security. After scrutinizing Drone Quote’s website, I turned my attention to their GitHub repository. While the website itself presented a number of challenges, the codebase held its own set of hidden risks.
Below is the information I put together in order to present my findings and recommendations to the owner in the meeting we had.
**GitHub Repository audit begins**
.env file
Does it matter if your .env file containing API keys is in your GitHub repository?
Absolutely yes, it matters a great deal if your .env file containing API keys is in your GitHub repository. Here’s why this is a major security risk:
1. Public Exposure:
If your GitHub repository is public, anyone can view your .env file and directly access your API keys. This exposure grants them the ability to impersonate you or your application while making requests to the linked services.
2. Malicious Use:
Bad actors can use those exposed API keys to:
- Abuse the services associated with the key, often leading to unexpected charges on your account.
- Access and potentially manipulate sensitive data linked to the API.
- Perform actions within services under your application’s identity, leading to reputational damage.
3. Compromised Accounts:
Even if your repository is private, a security breach of your account or that of someone with access to the repository could put your API keys at risk.
Best Practices: The .env File Should Never Be Committed
.gitignore: The .gitignore file in your project specifically instructs Git to ignore certain files. Ensure .env is listed in your .gitignore file to prevent it from ever being uploaded to GitHub.
Environment Variables:
When you run your application, load the API keys from environment variables. Many programming languages and frameworks offer ways to read environment variables.
On your local machine, set the environment variables using your operating system’s tools.
When deploying to services like Heroku, AWS, etc., these platforms provide secure sections to store environment variables that your application can access.
Secrets Management:
For more robust management of multiple keys and added security, consider dedicated secrets management solutions like:
- HashiCorp Vault
- AWS Secrets Manager
- Azure Key Vault
- Key Takeaways:
Never commit your .env file to version control, especially not to GitHub.
Use environment variables to keep your API keys safe.
Consider secrets management services for enhanced security.
Given the main focus of the website audit is on SEO, Accessibility, Performance, and Security, the presence of .env files containing API keys and IDs in the main directory of a private GitHub repository is a significant security concern.
Security Risks
Exposure of Sensitive Information: .env files should not be tracked by Git as they often contain sensitive information such as API keys, which are essentially passwords to external services. If these files are committed to a repository, there is a risk that they could be exposed, especially if the repository’s visibility changes or if there is a breach.
Best Practices Violation: Best practices for API key security include not storing sensitive information in source code or version control systems, using environment variables, and employing secrets management tools for better protection.
Potential for Unauthorized Access: If API keys are exposed, unauthorized users could potentially access and use the associated services, which could lead to data breaches, service abuse, and financial costs.
Recommendations
Remove Sensitive Files from Git: The .env, .env.bak, .env.development, env.prod, and env.staging files should be removed from the repository and any Git history to prevent potential exposure.
Use .gitignore: Update the .gitignore file to include all environment files that contain sensitive information, not just the local and specific environment files currently listed.
Environment Variables: Store API keys in environment variables or use a secrets management service to keep them secure and out of the codebase.
Key Management: Implement a key management strategy, including regular rotation and revocation of API keys to minimize risks.
Access Control: Apply the principle of least privilege by restricting API key permissions to only what is necessary for their intended use.
Audit and Monitoring: Regularly monitor the use of API keys and conduct audits to detect any unauthorized or abnormal usage patterns.
Secure Storage: Consider using a secure vault or encrypted storage for API keys and other credentials.
Education and Training: Ensure that all team members are aware of the importance of API key security and are trained in best practices.
In conclusion, the current handling of .env files in the private GitHub repository poses a security risk and does not adhere to best practices. Immediate action should be taken to secure the API keys and implement a more robust security strategy.
Beyond the .env files, here are some other security concerns you should consider when auditing the files in the repository:
Backup Files: The presence of .env.bak suggests that backup files may be present in the repository. These can also contain sensitive information and should be handled with the same care as .env files.
Configuration Files: Files like firebase.json, cors.json, corsConfig.json, and storage.rules may contain configuration settings that could reveal infrastructure details or security rules that could be exploited if not properly secured.
Code Quality and Security: The .eslintrc and .prettierrc.js files suggest the use of linters and formatters, which are good for maintaining code quality. However, ensure that security-related plugins or rules are also included to catch common security issues in the codebase.
Dependencies: The package.json and yarn.lock files list the project’s dependencies. It’s important to regularly audit these for known vulnerabilities using tools like npm audit or yarn audit and to keep all packages up to date.
Firebase and Cloud Functions: The .firebaserc and related Firebase configuration files should be reviewed to ensure that security rules for database access, storage, and cloud functions are properly set up to prevent unauthorized access or data leaks.
Custom Configuration: Custom configuration files like config-overrides.js, craco.config.js, and tailwind.config.js should be reviewed to ensure they do not inadvertently weaken the security posture of the application.
TypeScript Configuration: The tsconfig.json file indicates the use of TypeScript, which can improve code quality and security by providing static type checking. Ensure that the configuration is set to enforce strict type-checking where possible.
Security Rules: The storage.rules file likely contains security rules for cloud storage. These rules should be audited to ensure they enforce proper access controls and do not allow public or unauthorized access to sensitive data.
Ignore Files: The .gitignore, .prettierignore, and similar files should be reviewed to ensure they are comprehensive and prevent the accidental inclusion of sensitive files or directories in the repository.
Documentation: The README.md and any other documentation should be checked for sensitive information that should not be publicly available or shared with unauthorized users.
Lock Files: The yarn.lock file locks the versions of the dependencies used. Ensure that it is included in the repository to prevent discrepancies between development and production environments.
Code Review: Regular code reviews should be conducted to identify security issues, code smells, and potential vulnerabilities that automated tools might not catch.
By addressing these concerns, you can help ensure that the company’s website is secure.
**GitHub Repository audit ends**
Conclusion
The website and GitHub audit for Drone Quote was a revealing journey into the complexities of maintaining a secure and effective online presence. By combining my own expertise with the analytical power of Gemini Advanced, I was able to provide Drone Quote’s owner with a comprehensive roadmap for improvement.
This case study underscores the importance of regular audits for any business relying on a website and codebase. From SEO and content optimization to code security and performance, every aspect plays a crucial role in online success. Don’t underestimate the power of AI tools like Gemini, Perplexity.AI, Claude and ChatGPT to assist in this process, uncovering hidden issues and providing valuable insights.
Stay tuned for future Developer Diaries where I’ll explore more real-world projects and share the lessons learned along the way!