Applications that deal with private user information such as credit card numbers, addresses, medical records, and so on should take special steps to make sure that the data remains private and unaltered. In addition, secrets used by the application’s implementation, such as passwords and database connection strings, must be secured. The security of sensitive data is an issue while the data is stored in persistent storage and while it is passed across the network.
Secrets include passwords, database connection strings, and credit card numbers. The following practices improve the security of your Web application’s handling of secrets:
Do not store secrets if you can avoid it.
Do not store secrets in code.
Do not store database ...