I have a question about how to store my database config for my php web application in apache2 server. (Apache/2.4.38 (Debian)).
Should I store it in a non-public config.ini.php file or store it as environment variable in /etc/apache2/envvars?
Both looks good to me.
Any advice? Thanks
honestly hard coding credentials in your source code is not a good security practice , so it's best to use apache envvars.
IMPORTANT: If you have creds hard-coded in your files, refactor them out immediately. This is a bad security practice (and is mentions in both CWE-256 and the OWASP Top 10 (as A2) in the Broken Authentication item).
