What they're not telling you: Larger organizations commit to centralizing secrets management in a service. When done well, these services solve a lot of issues around secrets, at the cost of creating a lot of ops overhead (which is why they are limited to larger organizations) and engineering complexity. Smaller organizations have, until now, lived with the pain.

Diana Reeves
The Take
Diana Reeves · Corporate Watchdog & Markets

# THE TAKE: Your HTTP Proxy Isn't Your Security Blanket The infrastructure industry is selling you a dangerous myth: that secrets management via HTTP proxies offers meaningful protection. It doesn't. Here's what's actually happening: corporations push this model because it centralizes control—not security. Your proxy becomes a single attack surface, a honeypot masquerading as a vault. One breach, one misconfiguration, and every downstream service is compromised simultaneously. The real motivation? It's vendor lock-in dressed in security theater. Forcing secrets through proprietary proxy infrastructure means you're paying recurring fees while believing you've outsourced the problem. **The contrarian truth:** Distributed secret rotation, cryptographic isolation, and application-level controls beat centralized proxy management every time. But that requires actual engineering work. The mainstream tech press won't say it because their ad revenue depends on the vendors pushing this narrative. Your infrastructure deserves better than security theater.

What the Documents Show

But the pain has become far more significant with agents. Agents fuss when you directly hand them an API key. It usually works, and if you make it a rapidly revocable key that you disable after the session, you mitigate the risks. But some models (you know which ones) freak out on seeing the secret, and refuse to do anything now that the key is “exposed.” Models that are not so ridiculous about API keys will write the key to inter-session memory, pulling it out in another session and burning precious context window trying to use a revoked key. All of which assumes you go to the effort of constantly generating keys.

🔎 Mainstream angle: The corporate press either ignored this story entirely or buried it in a 3-sentence brief. The framing, when it appeared at all, focused on process rather than impact.

Follow the Money

Like so many problems getting attention right now, this looks like a problem created by agents. But the problem was always there. API keys are convenient but too powerful. Holding one does not just grant you the ability to make API calls, it grants you the power to give others the ability to make API calls (by sending them the key). No software I write in production that has an /etc/defaults file full of env vars containing API keys needs that power. We have always just been careful about how we write programs to not exfil keys.

What Else We Know

Never careful enough, because many security flaws in such an app now let the attacker walk off the keys and give them a window to do nastiness from wherever they like, until we realize and start manually rotating them. Attempts to automate key rotation to close this hole have mixed success. Our industry does use OAuth in some places, and sometimes OAuth is configured to rotate keys. But services still ship API keys, because they are easy for users. (OAuth, while simple in theory, is always painfully complex to use.) Some services give us the worst of all worlds, like GitHub encouraging personal access tokens with 90-day expiry windows. Just long enough for you to forget about them and your internal service to break mysteriously while you are on vacation.

Primary Sources

What are they not saying? Who benefits from this story staying buried? Follow the regulatory filings, the court dockets, and the FOIA releases. The truth is in the paperwork — it always is.

Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.