Is it bad practice to expose back end on github?

Question

This may be a dumb question, but I am an absolute beginner to back end code and I am trying to practice building applications professionally. Is it considered bad practice to push my application's entire code base excluding database passwords, api keys, and other sensitive bits of data, to a public github repo? Does this set my application, once hosted, in a vulnerable spot? Is it safe if the github repo is set to private? What is a professional way of handling front end and back end on github? I have scoured the web already but "backend" and "github" just brings up results for "github pages does not support server side code." which is interesting, but something else entirely.

Answer 1

Assuming your application adheres to best practices and does not have vulnerabilities, this is absolutely safe, as long as you do not (accidentally) include any credentials or secrets as you have mentioned.

If your application does have vulnerabilities, putting it on GitHub might actually decrease the danger. If the vulnerability is in a dependency you are using, GitHub might alert you to the vulnerability, making you aware of it and allowing you to fix it. Furthermore, other users might find the flaw, report an issue or PR and help you fix it. Another added benefit is that your code is securely stored off-site, should your own computer become compromised.

On the other hand, a motivated attacker might want to exploit the vulnerability. In order to do that, they'll still need to sift through your code to find it, and then attack you are someone using your software. Unless your software is used by high-value targets or lots of targets, this isn't economical for the attacker.

Is it safe if the github repo is set to private?

Pretty much so. The contents of private repos are regulated in section E of the ToS:

Short version: You may have access to private repositories. We treat the content of private repositories as confidential, and we only access it for support reasons, with your consent, or if required to for security reasons.

I encourage you to read the whole section of the ToS, it is not that long but a worthwhile read if you have concerns about the confidentiality of the private repo.

Note that Microsoft themselves nowadays host the Windows source code on GitHub, in a private repo. And many other companies do as well. GitHub has managed to gain a reputation for being trustworthy in that regard.

Imho, I would not hesitate to publish open source projects publicly on GitHub. But if the project is a closed-source, for profit application, the question arises why you'd like to make the source code available in the first place. A private repo would be much better suited for that.