Database Authentication
Access the Database With Minimal Privilege
If your JavaScript web application only needs to read data and doesn't need to
write information, create a database user whose permissions are read-only
.
Always adjust the database user according to your web application's needs.
Use A Strong Password
When creating your database access, choose a strong password. OWASP Guidelines for enforcing secure passwords defines what a strong password is. You can use the npm OWASP Password Strength Test package to test your password according these rules.
Some password managers generate strong passwords in addition to some online web applications. Use them at your own risk.
Remove Default Admin Passwords
Most Database Management Systems have default accounts, most of them with no
password set for the highest privilege user accounts (e.g. MariaDB and MongoDB
use root
with no password) which means an attacker can gain access to
everything.
This should be fixed by setting a password, or better yet by creating a new account with a non-default username with the same access rights.
Also, don't forget to remove your credentials and/or private key(s) if you're going to post your code on a publicly accessible repository in GitHub.