Database Connections

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

Your Redis instance has no password and is accessible beyond localhost, letting anyone who can reach it read all cached data, session tokens, and queue contents.

Your Elasticsearch instance is reachable from the internet without authentication, exposing all indexed data to anyone who knows the endpoint URL.

Your database connection pool has no max connection limit, meaning a traffic spike or slow query can exhaust all available database connections and take your app down.

Your database connection has no timeout configured, so a slow or unresponsive database will hang your entire application indefinitely instead of failing fast.

Your DATABASE_URL or database password gets printed to application logs via console.log or error messages, exposing credentials to anyone with log access.

Your database SSL connection uses rejectUnauthorized: false, which encrypts traffic but doesn't verify the server's identity, leaving you open to man-in-the-middle attacks.

Your database hostname and port are hardcoded in source code instead of environment variables, exposing your infrastructure topology and making deployments inflexible.