保護DataHogo
Security Encyclopedia/Database Connections
mediumCWE-547

Hardcoded Database Host in Source

Your database hostname and port are hardcoded in source code instead of environment variables, exposing your infrastructure topology and making deployments inflexible.

How It Works

Hardcoding db.prod.example.com:5432 in your source exposes your internal infrastructure topology to anyone who reads the code. Even if the database requires authentication, knowing the hostname makes reconnaissance easier. It also makes environment management a nightmare — every environment (dev, staging, prod) needs code changes rather than just environment variable swaps.

Vulnerable Code
// BAD: database host hardcoded in source
const pool = new Pool({
  host: 'db.prod.internal.example.com', // exposed in source code
  port: 5432,
  database: 'myapp_prod',
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD
});
Secure Code
// GOOD: all connection details come from environment variables
const pool = new Pool({
  connectionString: process.env.DATABASE_URL
  // DATABASE_URL covers host, port, dbname, user, password in one var
});

Real-World Example

During a security audit of an open-source project's config, the production database hostname was discovered in a committed config file. While credentials were in env vars, the hostname allowed attackers to map the company's internal network topology and target that specific host for other attacks.

How to Prevent It

  • Use a single DATABASE_URL environment variable that encodes all connection details
  • If you need separate variables, use DB_HOST, DB_PORT, DB_NAME from environment variables — never hardcoded
  • Audit your source code for internal hostnames and IP addresses with a regex like \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  • Treat infrastructure hostnames as secrets — they reveal your topology to attackers
  • Use service discovery or DNS aliases in your VPC instead of hardcoding specific hostnames

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021