This is the first time that I am working on a web application. I was going through the question What technical details should a programmer of a web application consider before making the site public? and noticed one thing that I knew nothing of:
Make sure your database connection information is secured.
I am confused about it because as per my knowledge the database info, password, etc will be on my server used in my coding to connect to the db. Then what does this line specifically mean?
Best Answer
Basically, it means that you must store the username and password to the database in a directory that the web server cannot access directly. For example, if you use PHP, and your Apache configuration points to
/project-root/www
, you could store the login information in/project-root/config/db.php
; if you store it in, say,/project-root/www/config/db.php
. Assuming that your server configuration isn't broken, this means that db.php cannot be accessed over the internet.You also need to get the permissions for the config file right. The account the web server runs under (ideally a dedicated account for your application) should be the only one with any kind of access to the config file. In a UNIX environment, assuming Apache is configured to run your application's virtual host under your own account, 600 or even 400 is a suitable permission set. This ensures that other users with access to the same machine (except root) cannot read your configuration file.
Additionally, you'll want to take a few more security measures:
And of course, you need to check your application for general security flaws, especially SQL injection and path traversal: these are the most common ways of getting at your database.
If the application is really sensitive, you need to take more precautions, such as encrypting configuration files, but for your average low-profile website, this should do the trick.