We're considering NopCommerce for our eCommerce platform. It appears that the login and password to the live database is visible in the .json file for developers to see. This is a potential security concern for us. Are there any best practices or recommendations for encrypting this?
I believe the best solution is to move the database account info outside the web root and then create a reference to it. I have you can find an perfect example in the XOOPS.org cms script for clarity. Most other scripts have a similar practice of storing the config files with db and config info in the web root.
I get the concern, but if you have a CICD process with TFS or jenkins, you would tokenize it anyway and let the release/deploy task plug in the value stored elsewhere.