Documentation Index
Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
Use this file to discover all available pages before exploring further.
Common Misconfiguration
Hardcoded database passwords in configuration files, connection strings, and migration scripts expose databases to unauthorized access.
Vulnerable Example
# VULNERABLE - Django settings.py with hardcoded password
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'production_db',
'USER': 'postgres',
'PASSWORD': 'PostgresAdmin123!', # Never hardcode!
'HOST': 'db.production.com',
'PORT': '5432',
},
'analytics': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'analytics',
'USER': 'root',
'PASSWORD': 'MyS3cr3tP@ssw0rd', # Never hardcode!
'HOST': 'mysql.production.com',
'PORT': '3306',
}
}
# Cache password
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.redis.RedisCache',
'LOCATION': 'redis://default:RedisPassword123@redis.production.com:6379/1',
}
}
// VULNERABLE - Node.js database configuration
module.exports = {
development: {
username: 'dev_user',
password: 'DevPass123',
database: 'dev_db',
host: '127.0.0.1',
dialect: 'postgres'
},
production: {
username: 'prod_user',
password: 'ProdPassword2024!', // Never hardcode!
database: 'production_db',
host: 'db.production.com',
dialect: 'postgres',
dialectOptions: {
ssl: {
require: true,
rejectUnauthorized: false
}
}
},
mongodb: {
uri: 'mongodb://admin:MongoAdmin123!@[mongo.production.com:27017/myapp](https://mongo.production.com:27017/myapp)'
},
redis: {
host: 'redis.production.com',
port: 6379,
password: 'RedisSecretPass!' // Never hardcode!
}
};
# VULNERABLE - Rails database.yml
production:
adapter: postgresql
encoding: unicode
database: myapp_production
username: myapp
password: Rails2024Prod! # Never hardcode!
host: postgresql.production.com
port: 5432
pool: 25
redis:
url: redis://default:RedisPass123@redis.production.com:6379/0
Secure Example
# SECURE - Django settings with environment variables
import os
from urllib.parse import urlparse
import dj_database_url
# Use environment variable or connection string
DATABASE_URL = os.environ.get('DATABASE_URL')
if DATABASE_URL:
DATABASES = {
'default': dj_database_url.parse(DATABASE_URL, conn_max_age=600)
}
else:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.environ.get('DB_NAME', 'myapp'),
'USER': os.environ.get('DB_USER', 'postgres'),
'PASSWORD': os.environ.get('DB_PASSWORD'), # Required from environment
'HOST': os.environ.get('DB_HOST', 'localhost'),
'PORT': os.environ.get('DB_PORT', '5432'),
'CONN_MAX_AGE': 600,
'OPTIONS': {
'sslmode': 'require' if os.environ.get('DB_SSL') == 'true' else 'prefer',
'connect_timeout': 10,
}
}
}
# Validate database configuration
if not DATABASES['default'].get('PASSWORD'):
raise ValueError("Database password not configured. Set DB_PASSWORD environment variable.")
# Redis with password from environment
REDIS_URL = os.environ.get('REDIS_URL')
if REDIS_URL:
redis_url = urlparse(REDIS_URL)
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.redis.RedisCache',
'LOCATION': REDIS_URL,
'OPTIONS': {
'CONNECTION_POOL_KWARGS': {
'max_connections': 50,
'retry_on_timeout': True,
'socket_keepalive': True,
'socket_keepalive_options': {
1: 1, # TCP_KEEPIDLE
2: 1, # TCP_KEEPINTVL
3: 5, # TCP_KEEPCNT
}
}
}
}
}
// SECURE - Node.js with secure password management
const { Sequelize } = require('sequelize');
const { createClient } = require('redis');
const { SecretsManagerClient, GetSecretValueCommand } = require("@aws-sdk/client-secrets-manager");
class SecureDatabaseConfig {
constructor() {
this.connections = {};
}
async initializeFromSecretsManager() {
const client = new SecretsManagerClient({ region: process.env.AWS_REGION });
try {
const command = new GetSecretValueCommand({
SecretId: "prod/database/credentials",
});
const response = await client.send(command);
const secrets = JSON.parse(response.SecretString);
return {
username: secrets.username,
password: secrets.password,
engine: secrets.engine,
host: secrets.host,
port: secrets.port,
dbname: secrets.dbname
};
} catch (error) {
console.error("Failed to retrieve database credentials:", error);
throw error;
}
}
async createPostgresConnection() {
const config = await this.initializeFromSecretsManager();
const sequelize = new Sequelize({
dialect: 'postgres',
host: config.host,
port: config.port,
database: config.dbname,
username: config.username,
password: config.password,
logging: process.env.NODE_ENV === 'development',
pool: {
max: 20,
min: 5,
acquire: 30000,
idle: 10000
},
dialectOptions: {
ssl: {
require: true,
rejectUnauthorized: process.env.NODE_ENV === 'production'
},
keepAlive: true,
statement_timeout: 30000,
idle_in_transaction_session_timeout: 60000
},
retry: {
max: 3,
match: [
Sequelize.ConnectionError,
Sequelize.ConnectionTimedOutError,
Sequelize.TimeoutError
]
}
});
// Test connection
await sequelize.authenticate();
console.log('Database connection established successfully.');
this.connections.postgres = sequelize;
return sequelize;
}
async createRedisConnection() {
// Use environment variable for AUTH token
const redis = createClient({
socket: {
host: process.env.REDIS_HOST,
port: parseInt(process.env.REDIS_PORT) || 6379,
tls: process.env.NODE_ENV === 'production'
},
password: process.env.REDIS_AUTH_TOKEN, // Use AUTH token
database: parseInt(process.env.REDIS_DB) || 0,
reconnectStrategy: (options) => { // Use 'reconnectStrategy' for node-redis v4
if (options.error && options.error.code === 'ECONNREFUSED') {
return new Error('Redis connection refused');
}
if (options.total_retry_time > 1000 * 60 * 60) {
return new Error('Redis retry time exhausted');
}
if (options.attempt > 10) {
return undefined;
}
return Math.min(options.attempt * 100, 3000);
}
});
redis.on('error', (err) => console.error('Redis Client Error', err));
await redis.connect();
this.connections.redis = redis;
return redis;
}
// Password rotation handler
async rotatePasswords() {
console.log('Starting password rotation...');
// Close existing connections
for (const [name, conn] of Object.entries(this.connections)) {
if (conn.close) await conn.close();
if (conn.quit) await conn.quit();
}
// Reinitialize with new credentials
await this.createPostgresConnection();
await this.createRedisConnection();
console.log('Password rotation completed successfully');
}
}
# SECURE - Kubernetes secret for database passwords
apiVersion: v1
kind: Secret
metadata:
name: database-passwords
namespace: production
type: Opaque
stringData:
postgres-password: ${POSTGRES_PASSWORD} # Value is injected by CI/CD
mysql-password: ${MYSQL_PASSWORD}
redis-password: ${REDIS_PASSWORD}
mongodb-password: ${MONGODB_PASSWORD}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: database-config
data:
postgres-host: "postgresql.production.svc.cluster.local"
postgres-port: "5432"
postgres-database: "myapp"
postgres-user: "appuser"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: app
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: database-passwords
key: postgres-password
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: database-config
key: postgres-host
Detection Patterns
- Key/Value Pair:
`(password|passwd|pwd|secret|token)['"]?\s*[:=]\s*['"][^'"]+['"]`
- Connection String:
`(mysql|postgres|redis|mongodb)://[^:]+:[^@]+@`
- Django Password:
`'PASSWORD':\s*['"][^'"]+['"]`
- Rails Password:
`password:\s*[^#\s]+`
Prevention Best Practices
- Use Environment Variables: Never hardcode passwords. Load them from the environment at runtime.
- Implement Secrets Management: Use a dedicated secrets manager (like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager) to store and inject credentials.
- Use IAM Database Authentication: Where possible (e.g., AWS RDS, GCP Cloud SQL), use IAM roles to authenticate to the database without any passwords.
- Implement Password Rotation: Enforce and automate regular password rotation policies.
- Use Strong Passwords: Ensure all database passwords are long, complex, and randomly generated.
- Enable SSL/TLS: Encrypt all database connections in transit.
- Use Connection Pooling: Implement secure connection pooling to manage connections.
- Monitor Failed Logins: Actively monitor and alert on failed authentication attempts.
- Use Separate Credentials: Use different passwords and service accounts for each environment (dev, staging, prod).
- Implement Audit Logging: Enable database audit logging to track all access and changes.
