8

I have doubt on storing web.config files in Git-hub, is it recommended?

Is this not a security vulnerability?

Also web.config for different environments will be different in different enviroments, hence how to keep different versions of web.config is same repo and branch?

Improve this question
3
  • What are you using to do your builds/releases? Publish from Visual Studio? PowerShell script? TFS? Team City? Octopus? Commented Mar 2, 2017 at 15:09
  • publish from VS Commented Mar 2, 2017 at 15:10
  • 1
    I recommend you discontinue that practice immediately. We typically put enough configuration in our web.config to run the project locally. No sensitive info to get checked into source code control. Then we have a config transform during build (in TFS) that turns all values that need to be changed for deployment to a tokenized file. For example __ConnectionStrings.ProjectDB__. Then upon release, a TFS task will insert the appropriate values into the web.config file for the environment being deployed to. Another alternative is to avoid using web.config at all, use environment variables. Commented Mar 2, 2017 at 15:14

2 Answers 2

Reset to default
7

Yes, it is.

Use server-level secrets to store sensitive information like DB connection strings.

In IIS you can use ASPNET_REGIIS - it lets you add secret configuration that IIS can access, but that isn't held in plain text with the web files.

In .NET core there's new Microsoft.Extensions.SecretManager.Tools that does the same thing.

For different environments you can have multiple web.config files, for instance web.release.config and web.debug.config.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Your web.config file itself is not a security issue. The keys you probably have inside it like connections strings are indeed very much sensitive and should not be in version control. The problem is how to manage those keys without having them in the web.config (or any other version controlled settings/config file).

Keith is correct that you should use server-level secrets. If your managing the server yourself you can use his method of setting them but if your using a service you'll need to set the keys up however they specify.

An example on Azure

How and where to define an environment variable on azure

Another on Heroku

https://devcenter.heroku.com/articles/config-vars

Setting up the server-level secrets is only the first step. Once you've pulled the keys out of the web.config you'll have to set them up locally. Here's a blog post that talks about setting them using your local machine.config.

http://krow.tech/posts/Keeping-Your-Secret-Configs-Private

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.