Where should I store secret strings on Node server?

Question

Well, I\'ve come with a problem. How can I store passwords, db url and important strings that should not go to my public version control?

I\'ve come up with 3 solutions.

Answer 1

The common solution is to add a config.js.example file to version control (that contains empty/dummy values to document what's available).

Then you add config.js to .gitignore (or whatever suits your VCS).

To run your application you simply copy config.js.example to config.js and put in the proper values.

Of course the path to config.js can be taken from an environment variable to allow easily using different configs - but still, you wouldn't put the actual config files under version control (unless you have a separate private repo for config files etc)

It does make sense to always require a config file to exist. Even in development. While the default settings may be suitable, chances are good that many developers on your application want to configure things anyway or simply test things with non-default values.