Vanita Vanita - 11 months ago 61
Node.js Question

Securing a nodeJS database config file

I have created a config.js file which stores all my database connection information. I am then requiring this in my db-connect.js. The config file is gitignored so it won't be committed. However, I was wondering if this is secure, or if any more can be done to secure this information?

Config.js simply looks like this at the moment:

var dbconfig = {
database: 'dbname',
username: 'dbusername',
password: 'dbpassword'

module.exports = dbconfig;

There are similar questions on here,but all just say to not commit the file - however, to me this still doesn't seem as secure as it could be?

Answer Source

There may not be a correct answer to this, Here are your options

  1. Environment variables: i have seen people prefer saving their config in environment variables either in their ~/.bashrc file temporary for a perticular process eg:


    export DB_USER=username

    export DB_PASS=password

    temporary DB_USER=username DB_PASS=password node ./app.js

  2. have your config files separate from the project and require it from a absolute path eg:

    var config = require('/<path>/<to>/config.js');

    so this way you will ensure your application will never serve your config file as it is not part of web root directory.

  3. encrypt your config file and decrypt it every time you application restarts and read it.

I have preferred 1 and 2 on most applications.