Storing Web.config in Git

Question

I have doubt on storing web.config files in Git-hub, is it recommended?

Is this not a security vulnerability?

Also web.config for different environments will be different in different enviroments, hence how to keep different versions of web.config is same repo and branch?

Answer 1

Yes, it is.

Use server-level secrets to store sensitive information like DB connection strings.

In IIS you can use ASPNET_REGIIS - it lets you add secret configuration that IIS can access, but that isn't held in plain text with the web files.

In .NET core there's new Microsoft.Extensions.SecretManager.Tools that does the same thing.

For different environments you can have multiple web.config files, for instance web.release.config and web.debug.config.

Answer 2

Your web.config file itself is not a security issue. The keys you probably have inside it like connections strings are indeed very much sensitive and should not be in version control. The problem is how to manage those keys without having them in the web.config (or any other version controlled settings/config file).

Keith is correct that you should use server-level secrets. If your managing the server yourself you can use his method of setting them but if your using a service you'll need to set the keys up however they specify.

An example on Azure

How and where to define an environment variable on azure

Another on Heroku

https://devcenter.heroku.com/articles/config-vars

Setting up the server-level secrets is only the first step. Once you've pulled the keys out of the web.config you'll have to set them up locally. Here's a blog post that talks about setting them using your local machine.config.

http://krow.tech/posts/Keeping-Your-Secret-Configs-Private