2

I've been following a tutorial with express, node and mongo. I have in a config file on the server side:

production:{
    db:'mongodb://MYUSERNAME:[email protected]:33307/dbname',
    rootPath:rootPath,
    port:process.env.PORT||80
}

so, i have my username and password in clear text in a server side javascript file. should i be worried about this? if yes, where else can I put it?

Thanks.

Edit: I went back and had a look at mongolab and heroku (where my site is hosted) docs.

Where I found: "The MongoLab add-on contributes one config variable to your Heroku environment: MONGOLAB_URI", and so I was able to put the MONGOLAB_URI env var into my config and move the password out of the source code.

With regards to the same datacenter, am I right to assume heroku would not be hosting my mongolab database in their datacenter, but would instead be calling out to a cloud service mongo database? Not much I can do then, is there, if I want to stick with mongolab and heroku?

Improve this question

2 Answers 2

Reset to default
1

I know this question is old but according to Heroku's docs they currently use 2 datacenters (https://devcenter.heroku.com/articles/regions#data-center-locations).

Their US server is 'amazon-web-services::us-east-1' and their EU alternative is 'amazon-web-services::eu-west-1'.

Both of these data centers are available when launching mongo instances on Mongolab so you can choose for both your app and your db to be on the same datacenter giving much improved security.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think you should always be concerned about storing passwords in source code files. Generally you would be much better off keeping it in a configuration file that is managed separately. This gives you the flexibility to use the same code with a different configuration file to point to development or qa databases.

Of bigger concern perhaps - are you hosting your application in the same datacenter that MongoLab is hosting your database? If not, that user name and password, along with your data, will traverse the internet in the clear.

MongoLab does not currently support SSL (other than for their RestAPI) so even they recommend being in the same data center:

Do you support SSL?

Not yet but it is on our roadmap to be available in Summer 2014. In the meantime, we highly recommend that you run your application and database in the same datacenter. If you have a Dedicated plan, we also highly recommend that you configure custom firewall rules for your database(s).

Rest API:

Each MongoLab account comes with a REST API that can be used to access the databases, collections and documents belonging to that account. The API exposes most the operations you would find in the MongoDB driver, but offers them as a RESTful interface over HTTPS.

I would definitely read MongoLab's security page fairly closely:

https://docs.mongodb.com/manual/security/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.