Securing connection strings and app settings in an Azure App - how to use them locally

Question

In my web app which is hosted as an Azure App Service, I have the following in my web.config for testing:

<connectionStrings>
    <add name="ProductionConnection" providerName="System.Data.SqlClient" connectionString="Data Source=tcp:something.database.windows.net,1433;Initial Catalog=DatabaseName;User Id=admin@sssdddr;Password=Pass@word1;Trusted_Connection=False;Encrypt=True;Connection Timeout=30; MultipleActiveResultSets=True" />
</connectionStrings>

I'm trying to follow some basic security best practices here, so I've moved my connection string up to the Application Settings section of my web app:

This particular setting is a bad example because ideally I'd only ever have ProductionConnection stored in Azure and never used locally - but for other connection strings and appSettings used both locally and in production that should should be protected, how should I handle the values when developing locally?

Answer 1

if you're looking for securing secrets/connection strings from developer, go for Azure Key Vault which is designed to secure all your secrets from everyone. Each secret will be exposed as a URI to end developer to consume via REST.

for this, you need to register your application with Azure AD as KeyVault would request for AD Token to provide secrets.

Answer 2

I mean the connection string value / app setting should not be baked into the application's bin directory

Connection strings are normally located inside web.config file. web.config will never be inside bin folder; we normally place it inside application's root folder.

I believe you mean storing sensitive information like username and password to access SQL Server. You cannot hide connection string and settings from developers who is debugging the application.

In corporate environment, we (developers) use Windows Authentication to access SQL Server.