https://ferkakta.dev/tags/acm/Recent content in Acm on ferkakta.devHugoen-USCopyright fizz.Mon, 09 Feb 2026 09:00:00 -0600https://ferkakta.dev/acm-certificate-transparency-scanners/Mon, 09 Feb 2026 09:00:00 -0600https://ferkakta.dev/acm-certificate-transparency-scanners/<p>I accidentally exposed production secrets on a public endpoint. Here&rsquo;s what happened and what I learned about Certificate Transparency.</p> <h2 id="the-setup">The setup</h2> <p>We&rsquo;re building a multi-tenant SaaS platform on EKS. During development, our Terraform module defaulted to <code>ealen/echo-server</code> for three microservices — a lightweight HTTP server that echoes back request info. Seemed harmless.</p> <p>What I missed: echo-server echoes EVERYTHING. Every environment variable in the container, including ones injected from AWS SSM via External Secrets Operator. Database connection strings. Redis auth tokens. OAuth client secrets. Signing keys. A single unauthenticated <code>GET /</code> returns it all as JSON.</p>