Connection String Security

A database connection string typically contains the hostname, port, database name, username, and password -- everything an attacker needs to access your data. Hardcoding connection strings in source code is one of the most common and dangerous security mistakes. Connection strings committed to version control can be harvested from git history even after deletion, and they frequently appear in CI/CD logs, error messages, and crash reports.

The gold standard for managing database credentials is a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault). The application retrieves the connection string at startup from the secrets manager, and credentials can be rotated without redeploying the application. For simpler setups, use environment variables loaded from a .env file that is excluded from version control via .gitignore. Never pass connection strings as command-line arguments (they appear in process listings via ps aux).

Additional hardening measures include: enabling TLS/SSL for all database connections (sslmode=verify-full in PostgreSQL), using short-lived credentials rotated automatically, restricting database user permissions to the minimum required (principle of least privilege), and configuring network-level access controls (VPC security groups, pg_hba.conf rules) so the database is not accessible from the public internet. Log sanitization middleware should redact connection strings and passwords from application logs.