I have a C# web app with a database connection string saved in the web.config file. This file is also part of a git repository. How can I save the connection string to prevent it from being compromised in case a bad actor gains access to my repository?
Would encrypting the file solve my problem like answers to this old question suggest?
If yes, how can i do this in .NET?
3
Answers
You should ( as i saw my projects ) store it in launchSettings.json.
Forexample
This file is different for all programmers.
There are many tools for securely storing secrets in a Git repository, and you will find a great overview here(archive 1, archive 2) that discusses the tradeoffs.
Of those mentioned in the article, I’ve only used git-secret which has this synopsis:
As for the broader question of how to provide passwords to an ASP.NET server, it’s a big topic. I suggest reading the guide Protecting Connection Strings and Other Configuration Information from Microsoft.
You should never commit sensitive data or credentials into fit.
You can use User Secrets to work locally.
When deploying to a server or hosting environment you should use environment variables.
This has the added benefit of allowing you to set different values in each environment.