Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing web.config settings

Tags:

c#

asp.net

asp.net-mvc

We are developing an ASP.NET MVC 5 application. We hired some remote developers to help us with the project.

The web.config file contains connection strings and app settings that we don't want to share with these remote developers. To work on our application, these developers remote into a development desktop that we control.

What is the best practice for securing sensitive information in web.config, so that developers can still run and debug application but not read the sensitive info in web.config?

like image 470
user1044169 Avatar asked Mar 12 '23 21:03

user1044169

2 Answers

Encrypting the web.config in a development environment is pointless. The only way to truely hide the information from the developers is not to give it to them in the first place.

  1. You must ensure that your "remote development environment" is setup only to access a development database and is configured with other development settings only.
  2. Don't check in any sensitive data (production passwords, etc) into your source control. You can achieve this by separating the information into external .config files so they are not checked into source control. TIP: Ignore the file with the actual passwords and add another one with the same name and an extension such as .config.example that is checked in to give the developer instructions on how to setup the file on their local system (which is a helpful reminder regardless of who sets up the system from a clone of the source control repository).
  3. Use a continuous integration server (TeamCity, Jenkins, Octopus Deploy, etc) to build sensitive information into the release workflow through environment variables. Many CI servers have the ability to hide sensitive data from the UI. You can either practice automatic deployment via CI button-click so your developers don't have access to the sensitive data that is in the CI server, or give the deployment artifact(s) to a trusted team to install in production.

There is really no reason why a developer should even be given a chance to see sensitive production data such as passwords and private keys.

like image 197
NightOwl888 Avatar answered Mar 24 '23 04:03

NightOwl888

Like Ingenioushax suggested, the standard way of encrypting sections of web.config is using aspnet_regiis. Here is a tutorial.

like image 22
Clint B Avatar answered Mar 24 '23 04:03

Clint B
Sign in to Comment

Related questions

RegisterWaitForSingleObject undefined behavior with ManualResetEvent
SignalR 404 error when trying to negotiate
Increment number every time button is click
The collection has not been initialized
How to mock to execute oracle query to the in memory data
Cancel Windows 10 BackgroundDownloader
Xamarin - is there a way to notify Xamarin.Forms from a native project?
Where does the name SignalR come from? [closed]
Extension method not equivalent to direct call
Unable to Serialize/Deserialize List<> object into JSON
How to restrict Asp.net Web API / Owin discovery of controllers by namespace?
C# - How do I use an array of arrays as input for "parameterized" method?
C# - Illegal characters in path
C#: Assign child class instance to interface implemented by abstract class
Red square appears around radio button control when clicked in Wpf
Compare 2 strings of time in C#
WPF DataGridComboBoxColumn not working
UnauthorizedAccessException: Access to the path [ iOS / Unity3D ]
C# Generics with concrete implementation
Do child trigger runs parent trigger also?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!