Database Connections

Connection String Protection

To keep your connection strings secure, it's always a good practice to put the authentication details in a separated configuration file far from public access.

Instead of placing your configuration file at /your/app/path/public_html/, consider using a restricted access location /some/private/path/config.json

{
  "db": {
    "user": "f00",
    "pass": "f00?bar#ItsP0ssible",
    "host": "localhost",
    "port": "3306"
  }
}

Then you can load your config.json file on your JavaScript application:

const fs = require('fs');
const config = require('/some/private/path/config.json');

console.log('Configuration loaded');

Of course, if the attacker has root access, he/she could see the file which brings us to the most secure thing you can do - encrypt the file.

Note that required file path includes the .json suffix: this tells Node.js to load and parse the content as JSON and not as a regular JavaScript file, preventing code execution.

Database Credentials

You should use different credentials for every trust distinction and level:

  • User
  • Read-only user
  • Guest
  • Admin

Therefore, if a connection is being made for a read-only user, they could never mess up with your database information because the user actually can only read the data.

results matching ""

    No results matching ""