❔ Moving from Development to Production
I want to be more secure in my .NET server application, atm my db connection string is just stored in the appsettings.json.
What would you do to actually protect it in some way, I was thinking maybe set it as an environment variable, but I dont really understand how that would help?
What strategies would you employ and why?
2 Replies
An environment variable that is stored on your machine (and not in a settings file) is more secure because you aren't committing the secrets into a source repository. That means even if someone got a hold of your code (via Github or otherwise) they wouldn't have any database access.
You should do your best to protect the host serving your application, but if someone has host access then you likely can't hide secrets from them, so an environment variable is fine.
There's various levels depending on what you prefer/need, environment variables is just one option, but a more secure version might be something like Azure Keyvault (if you're using Azure), or some other secret management service.
You could also combine these methods so that on local development your application looks for a secrets file (that is added to .gitignore if you're using git, so that the secrets file doesn't get added to the repository as before) but on production it uses a secret management service like Keyvault.
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.