[Possible] Database Connection String Detected
Description
Database connection strings have been detected in publicly accessible files or responses. These strings contain configuration details used by applications to connect to database servers, including server addresses, database names, authentication credentials (usernames and passwords), and driver information. Exposing this information represents a critical security misconfiguration that can lead to unauthorized database access.
Remediation
Immediately remove database connection strings from publicly accessible locations and implement secure configuration management practices:
1. Remove exposed connection strings:
Delete or restrict access to files containing connection strings. Ensure these files are not accessible via web requests by placing them outside the web root or using proper access controls.
2. Use environment variables or secure configuration stores:
Store connection strings in environment variables or dedicated secret management systems (e.g., Azure Key Vault, AWS Secrets Manager, HashiCorp Vault).
// Example: Using environment variables in .NET
string connectionString = Environment.GetEnvironmentVariable("DB_CONNECTION_STRING");
// Example: Using environment variables in Node.js
const connectionString = process.env.DB_CONNECTION_STRING;3. Implement proper file permissions:
Ensure configuration files have restrictive permissions (e.g., readable only by the application user, not by web server processes).
4. Rotate compromised credentials:
Change all database passwords and connection details that were exposed. Update application configurations accordingly.
5. Use encrypted configuration sections:
For applications that must store connection strings in configuration files, use built-in encryption mechanisms provided by your framework.
6. Review version control systems:
Ensure connection strings are not committed to source code repositories. Add configuration files to .gitignore and scan repository history for accidentally committed secrets.