Is GitHub secure?
Let’s start with the fact that nothing gives us a 100% guarantee of safety, there is always a lower or higher risk. However, the difference between good and bad software is, among others, that this risk is minimal. So what does it look like in this case? Is GitHub safe to upload code? Well.. yes. Fortunately, GitHub is on the good side. The creators provide a number of solutions that allow you to minimize the risk. Of course, the configuration of certain options is on our side, but the key thing is that these options are available at all.
How do I protect my GitHub repository?
The first line of defense is authentication. There are a couple of ways here. First of all, GitHub recommends using a password manager to create a secure and unique password. Additionally, it is recommended to use two-factor authentication (2FA). In this situation, we can use a mobile application or SMS, thanks to which, in addition to the password, we will also provide a special code. As a result, even if someone learns our password, they will not be able to log into our account without the device we have with us.
The developers of GitHub also allow you to generate a Personal Access Token, used in place of a password for repository integration. What is the difference? For example, the token can only be set for a specific period of time, e.g. two hours, a week or as long as we need. Additionally, we can set a limit of operations that can be performed after authentication with a given token. Thanks to these features, we do not have to remember to revoke the permissions after the end of the job, because the token will expire itself and access will be impossible. Useful tool.
In addition to the subject of authentication and access, there is also the risk of communication being “overheard” and data intercepted by hackers. To avoid this, you can opt out of HTTPS communication. Generally, this protocol is safe, but to be more confident, you should use an SSH connection instead. Thanks to this, our connection will be encrypted. This protocol is based on comparing the public and private key pair. If the keys match, the connection will be established. Such keys can be generated separately for each device, so even if someone knows our password and takes control of our mobile device (2FA), his computer will not know our private key and will not be able to access such a repository.
Is the GitHub repository a backup?
As you can see above, GitHub security is at a high level. However, can we treat this service as a backup? Definitely not. For several reasons. The first is that GitHub does not meet several basic criteria for a good backup, such as versioning, automation or recovery process. In addition, there have been hacking attacks on its servers. Effect? GitHub was down and access to the repositories was limited for a while. Real backup cannot be unavailable. I recommend using third-party GitHub backup solutions, such as https://gitprotect.io/github.html, to always be prepared for any situation.
As you can see, GitHub has a number of tools that can increase security and minimize risk. But we must also remember that despite its many advantages, we cannot treat it as a backup tool. So.. is github safe? It may be, but eventually it’s up to you if you use it properly.