Node.js sensitive information in javascript file?

Question

Is it safe to contain sensitive information such as database connection details on a JavaScript file running on a Node.js server ? For instance:

var mysql = require('db-mysql');
new mysql.Database({
    hostname: 'localhost',
    user: 'user',
    password: 'password',
    database: 'test'
}).on('error', function(error) {
    console.log('ERROR: ' + error);
}).on('ready', function(server) {
    console.log('Connected to ' + server.hostname + ' (' + server.version + ')');
}).connect();

Since JavaScript file is a client-side file, is this information can't be seen through the client on a typical browser using the developer tool ?

Answer 1

Since you're executing the script server-side, this same code is not viewable on the client-side. Think of it along the same lines as a PHP script or similar. However as already pointed out, if you place your script inside a publicly accessible directory, then people could see the code.

A couple of alternatives to placing your credentials directly inside your script could be to move your credentials securely (e.g. with appropriate file/user permissions) to a file in some other directory that your script reads from or get your credentials from the environment like:

# DB_USER=foo DB_PASS=bar node myscript.js

Then inside your script:

new mysql.Database({
  hostname: 'localhost',
  user: process.env.DB_USER,
  password: process.env.DB_PASS,
  database: 'test'
// ...

Answer 2

Although it is safe, but what If directory browsing is enabled on server ?

Answer 3

Yes, it's safe to do that. Client will have only access to what you will send to him from your application. This is not client-side file, it's node.js and your application server-side file. Remember to NOT include this file with other JS files like jquery etc which you will send to your clients.