ASP.NET SQL Connection Security; what should never go in a public github repository?
Lost my job last week and I'm working on an ASP.NET/Angular project to demonstrate what I know in .NET/C#. I'm wanting it to be public enough for potential employers to at least see that I'm comfortable working in this kind of tech, but my settings include my password for the local db, and I'm really really not a security person so I'm concerned there's something obvious that shouldn't be public. Unless I'm being overly paranoid. The server is only locally hosted right now, but if I get to the point of making it public I'm not sure the best way to securely host a database like that.
9 Replies
why don't you use sqlite?
https://learn.microsoft.com/en-us/dotnet/standard/data/sqlite/?tabs=net-cli
things to exclude from the repo: username, password, host URL, database name, any cryptographic keys or certificates
all those go in secrets
but if you have to demonstrate your work to others, not having a need for a password at all is a very good idea
Unless you're trying to demonstrate your ability to use the database engine as well
good point
but if you know sqlite, im more than likely know mysql
in fact, most of the syntax is the same
but i can't deny that sqlite isn't mysql
I'm so sorry for vanishing. I had a busy week and completely forgot I posted this after a while. Is there a good source on how to set up secrets? I'm just starting to get a handle on setting up an API and a Client project so I'm not sure how exactly to go about implementing secrets like that. I'll take a look into SQLite though since I may keep going with some of my own projects this way
well, microsoft posted this on how to store secrets:
https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets
and jetbrains has this:
https://blog.jetbrains.com/dotnet/2023/01/17/securing-sensitive-information-with-net-user-secrets/
if you deploy to a server, you might want to use .env files
Thank you very much!!!
you're welcome