1

We have an site made up of several hundred ASP.NET 4 web apps. Currently our production config is specified in config transforms and resides along with the source code for each application. We deploy to staging and production environments using WebDeploy packages.

What are the options for securing the configuration?

I can think of the following:

  • encrypt the config files and build tool/s that use certs to decrypt in prod
  • store and deploy the configuration transform files separately
  • extend the system.configuration to read config from env. vars (easy for appSettings, more involved for custom config sections).

Is there a standard approach for this and perhaps some tools I am unaware of?

Myles McDonnell
  • 12,943
  • 17
  • 66
  • 116
  • I've had a lot of success when introduced Octopus Deploy for deployment of web applications: https://octopus.com/ Your 3 use cases are well supported by Octopus. – nimeshjm Nov 27 '15 at 11:20
  • we have all of our deployment tooling sorted so using Octopus would be overkill. I'm going to store the prod configs in separate secure repos and have team city pull them when it builds the deploy packages. – Myles McDonnell Nov 27 '15 at 12:13
  • you can use individual web app configuration. to do this, check my simple trick at http://stackoverflow.com/questions/11058235/read-custom-config-file-in-asp-net/19422773#19422773 – mRizvandi Oct 24 '16 at 10:14

0 Answers0