5

I'm deploying my node.js app, which is based on Ghost, on Google Compute Engine. However, I'm not sure whether it is a good behavior to write my database credentials in config.js.

The config.js file is something like the follows:

...
'production': {
    url: 'http://127.0.0.1:2368',
    database: {
        client: 'mysql',
        connection: {
            host     : '127.0.0.1',
            user     : 'root',
            password : 'root',
            database : 'ghost',
            charset  : 'utf8'
        }
    },
    server: {
        host: '127.0.0.1',
        port: '2368'
    },
},...

However, this includes the database credentials hard-coded in config.js. I'm not sure if this is secure enough in production.

Should I be better off to set the credentials using environment variables from process.env.xxx (e.g. process.env.DB_USER)? In that case, what is the best way to write those environment variables in a file and run the app with the configuration?

Blaszard
  • 352
  • 2
  • 6
  • 14

1 Answers1

4

You should never put the credentials in any file that goes to the source code repository.

What is usually done is to use environment variables that are set using a control panel of your hosting platform for a simplest solution, or you can use tools like etcd for more flexible solution. See:

With Node you can also use the dotenv module to make setting the env vars easier during development. See:

rsp
  • 241
  • 1
  • 4