Should server/database config files, including passwords, be stored in source control?

Question

I\'m looking to hear some best practices...

Assuming a web application that interacts with a few different production servers (databases, etc.)... should the configu

Answer 1

Passwords should not be stored in source control. At all. Ever. See How to keep secrets secret

Passwords, servernames, etc. are part of the deployment configuration as performed by the server administrator. It is essential to document this procedure and place the documented procedure under control.

Alternatively the deployment configuration could be performed by a script that the sysadmin would run to perform the configuration, and during the script execution it would ask the sysadmin to provide the required information. Again this script must be kept in version control.

Everything else, apart from server configuration must be in source control.

Storing server configuration in source control is generally a bad idea because it gets in the way of deployments and can cause small disasters (e.g. when someone doesn't realise that their test version deployed from source control is communicating with a live service).

Always keep these configuration files outside of the webroot.

Trusted connections may be an option, allowing known IP addresses to connect to services by configuration of that service..

• When running on Windows use integrated authentication. Refer to Securing Data Access
• MySQL configure to allow connections from localhost and to not require a password. See Step 7: Securing a MySQL Server on Windows
• PostgreSQL you can use ~/.pgpass.