Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing Web.config in Git

Tags:

c#

.net

github

asp.net

I have doubt on storing web.config files in Git-hub, is it recommended?

Is this not a security vulnerability?

Also web.config for different environments will be different in different enviroments, hence how to keep different versions of web.config is same repo and branch?

like image 557
SmartestVEGA Avatar asked Mar 02 '17 15:03

SmartestVEGA

People also ask

How do I change my git config list?

Show global git config settings But at runtime, only the value set locally is used. If you would like to delete or edit a Git config value manually with a text editor, you can find the Git config file locations through the Git config list command's –show-origin switch.

What is git config?

The git config command is a convenience function that is used to set Git configuration values on a global or local project level. These configuration levels correspond to . gitconfig text files. Executing git config will modify a configuration text file.

2 Answers

Yes, it is.

Use server-level secrets to store sensitive information like DB connection strings.

In IIS you can use ASPNET_REGIIS - it lets you add secret configuration that IIS can access, but that isn't held in plain text with the web files.

In .NET core there's new Microsoft.Extensions.SecretManager.Tools that does the same thing.

For different environments you can have multiple web.config files, for instance web.release.config and web.debug.config.

like image 153
Keith Avatar answered Oct 14 '22 15:10

Keith

Your web.config file itself is not a security issue. The keys you probably have inside it like connections strings are indeed very much sensitive and should not be in version control. The problem is how to manage those keys without having them in the web.config (or any other version controlled settings/config file).

Keith is correct that you should use server-level secrets. If your managing the server yourself you can use his method of setting them but if your using a service you'll need to set the keys up however they specify.

An example on Azure

How and where to define an environment variable on azure

Another on Heroku

https://devcenter.heroku.com/articles/config-vars

Setting up the server-level secrets is only the first step. Once you've pulled the keys out of the web.config you'll have to set them up locally. Here's a blog post that talks about setting them using your local machine.config.

http://krow.tech/posts/Keeping-Your-Secret-Configs-Private

like image 29
rayepps Avatar answered Oct 14 '22 13:10

rayepps
Sign in to Comment

Related questions

Entity Framework table name convention
dynamic in android xamarin
Display local images in UWP WebView control
Unity C#: How can I create a GameObject at screen position? [closed]
Save game when exiting app
My IUserClaimsPrincipalFactory implementation is causing StackOverflowException on IdentityServer4
how to make a c# script run at scene start in unity
How can I know if a text file ends with carriage return or not?
Skip and Take not working with MySQL EntityFrameworkCore
ExcelDataReader Datatype "date" gets transformed
i am getting an error Argument 2 may not be passed with ref keyword while using ado.net
SslStream and Authentication
Binding Date Only and Time Only
HostingEnviornment.QueueBackgroundWorkItem is not working in azure worker role
How does it work the Session Per Request pattern?
ASP MVC 5 Date Format Validation Issue
How to use Route attribute to bind query string with web API?
How does OnValidateIdentity ASP.NET Identity work
Can Entity Framework Core run non-query calls?
How do I bind a WPF ComboBox to a List<Objects> in XAML?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!