Hacker News new | comments | show | ask | jobs | submit login

at a minimum:

- keep config variables in a separate file that is in your .gitignore and won't get pushed to github.

- keep config file outside of any web accessible directory in case the file renders in plaintext for some reason.

Regardless of db only accepting local connections - an attacker is one step closer to dumping the db.

Hrm, is there really a problem if the test data on my development server were to get dumped? It's not like those credentials or the accounts stored in the db carry over when this gets deployed to production, nor will the changes for production ever come close to my github.

Still very valuable things to be aware of in future situations where the above might not apply, thank you very much.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact