6

I have doubt on storing web.config files in Git-hub, is it recommended?

Is this not a security vulnerability?

Also web.config for different environments will be different in different enviroments, hence how to keep different versions of web.config is same repo and branch?

SmartestVEGA
  • 8,415
  • 26
  • 86
  • 139
  • What are you using to do your builds/releases? Publish from Visual Studio? PowerShell script? TFS? Team City? Octopus? – mason Mar 02 '17 at 15:09
  • publish from VS – SmartestVEGA Mar 02 '17 at 15:10
  • 1
    I recommend you discontinue that practice immediately. We typically put enough configuration in our `web.config` to run the project locally. No sensitive info to get checked into source code control. Then we have a config transform during build (in TFS) that turns all values that need to be changed for deployment to a tokenized file. For example `__ConnectionStrings.ProjectDB__`. Then upon release, a TFS task will insert the appropriate values into the web.config file for the environment being deployed to. Another alternative is to avoid using web.config at all, use environment variables. – mason Mar 02 '17 at 15:14

2 Answers2

6

Yes, it is.

Use server-level secrets to store sensitive information like DB connection strings.

In IIS you can use ASPNET_REGIIS - it lets you add secret configuration that IIS can access, but that isn't held in plain text with the web files.

In .NET core there's new Microsoft.Extensions.SecretManager.Tools that does the same thing.

For different environments you can have multiple web.config files, for instance web.release.config and web.debug.config.

Community
  • 1
  • 1
Keith
  • 150,284
  • 78
  • 298
  • 434
3

Your web.config file itself is not a security issue. The keys you probably have inside it like connections strings are indeed very much sensitive and should not be in version control. The problem is how to manage those keys without having them in the web.config (or any other version controlled settings/config file).

Keith is correct that you should use server-level secrets. If your managing the server yourself you can use his method of setting them but if your using a service you'll need to set the keys up however they specify.

An example on Azure

How and where to define an environment variable on azure

Another on Heroku

https://devcenter.heroku.com/articles/config-vars

Setting up the server-level secrets is only the first step. Once you've pulled the keys out of the web.config you'll have to set them up locally. Here's a blog post that talks about setting them using your local machine.config.

http://krow.tech/posts/Keeping-Your-Secret-Configs-Private

Community
  • 1
  • 1
rayepps
  • 2,072
  • 1
  • 12
  • 22