1

I'm writing an open-source program interfacing with a protected MySQL server. I'd like to keep the development environment as close to the production environment as possible. Variables that must be kept secure are passed in via environment variables. Otherwise they are posted to the world.

Which of the following connection parameters should I secure and why?

  • Database name
  • Server username
  • Server user password
  • Hostname
user276833
  • 13
  • 3
  • 2
    Are you really asking if and why you need to secure the password? – schroeder Apr 15 '19 at 21:04
  • Trivial, but complete. – user276833 Apr 15 '19 at 21:10
  • ....you say "secure", but that's not actually the proper motivation for extracting these. In reality, you will probably need to configure a different hostname (because it's almost certainly going to be a different address). Database and user name are unlikely to actually be something to "hide" - you're almost certainly going to need to supply setup scripts to create the database in the first place, and while it's nice to be able to change defaults, most applications use a default name and stick with it (makes troubleshooting easier). – Clockwork-Muse Apr 15 '19 at 21:15

1 Answers1

0

Username and password are the bare minimum secrets.

Hostname and database name are convenient to have in environment variables so they can be easily changed in response to changes in the production environment.

If the mysql server is exposed to the internet, the ip/hostname might give a would be attacker of your site an interesting clue. Having mysql listen to the internet is a bad practice though, and trying to keep the ip a secret does little to help.

le3th4x0rbot
  • 3,139
  • 1
  • 12
  • 12