Reputation: 12681
Web.config: sensitive settings
The problem:
I would like to run my ASP.NET MVC site locally using IIS, using my Facebook client secret. I would also like to keep the Facebook client secret out of source control. I am publishing all this to Azure, so there is no problem when I'm running my web server in the Cloud. Sensitive settings go straight into the App Service, and never get seen by source control.
In principle, keeping the client secret out of source control is easy. I can just add a config source to my app settings in Web.config:
<appSettings configSource="facebookClientSecret.config" />
and all of my settings can go into facebookClientSecret.config, which gets added to .gitignore.
Therein lies the problem: all of my settings. I don't want to hide all settings from source control: only the sensitive ones.
I have tried doing this:
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add configSource="facebookAppSecret.config" />
<add key="StorageConnectionString" value="UseDevelopmentStorage=true" />
</appSettings>
But apparently that's "not allowed". Is there a way to have a subset of the app settings sourced from a separate file?
Upvotes: 0
Views: 883
Answers (1)
Reputation: 983
The file attribute on appSettings fits the bill nicely.
<appSettings file="facebookAppSecret.config">
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="StorageConnectionString" value="UseDevelopmentStorage=true" />
</appSettings>
Settings will be pulled from the facebookAppSecret.config file as well as the <appSettings></appSettings> entries.
It's worth noting also that the contents of that file should only contain a <appSettings></appSettings> block (i.e. it should not contain <?xml version="1.0" encoding="utf-8" ?><configuration>...</configuration>
You will need to adjust the Build Action (should be "Content") and Copy To Output Directory project settings for the file (right click on file in Visual Studio -> Properties) so the file is included in the output directory when you build.
Upvotes: 2
Related Questions
- Securing web.config settings
- Keeping sensitive information in web.config
- Access to web.config attributes (not appSettings)
- asp.net web config security
- How to solidly protect web.config
- ASP.NET MVC security and IIS allowSubDirConfig configuration
- Hard coded values to web.config file
- Is it bad practice to put sensitive information in a Web.config file?
- ASP.NET web.config configuration
- Is it safe to store confidential settings in .cs file instead Web.config?