54

I'm working on a small side-project and I'm using connection strings and also api keys and values that should not be seen or used by other people. I use a public GitHub account for source control. What is the usual method for using source control when these values are in plain text in web.config?

Do I need to remove the values manually before checking in code?

Improve this question
1
  • 2
    I usually just remove it before checking in, but that is error prone, and inconvenient. I'd like to hear some ideas on this too. Commented Jul 5, 2010 at 2:08

3 Answers 3

Reset to default
78

What I find works is to check in a version of the file with blanked or dummy values and then to run:

git update-index --assume-unchanged [fileName]

Git will then stop monitoring changes to that file allowing you to put the real config info into it without fear of checking it in.

If you later make changes that you DO want to check in you can run:

git update-index --no-assume-unchanged [fileName]
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

spot on! that's what i was looking for. no workarounds, just works!
Very useful! I combined this approach with the other solution (configSource) to only hide connectionstrings but allow easy config changes.
this approach resets the file content if you use git stash and git stash pop :(
36

We keep sensitive and/or machine-specific configuration in separate config files, then use configSource to include them like so...

<connectionStrings configSource="cstrings.config"/>

This way you can check in Web.config and a cstrings.config file that has a generic value that can be used on a dev machine. (e.g., (local),...MyAppNameDb...)

For production environments, mark the cstrings.config file as read-only and set up your deployment script so that you don't attempt to write over it. Your production connection string is protected by whatever security you have on that box. This keeps your sensitive strings out of version control.

cstrings.config:

<?xml version="1.0" encoding="utf-8" ?>
<connectionStrings>
    <add name="Default" connectionString="Server=localhost"/>
</connectionStrings>
Improve this answer

Comments

5

You can check in a file like config.sample that contains dummy values. Each developer would then copy that file to config and edit in their own values. You would then put this local file in .gitignore.

Improve this answer

4 Comments

gitignore won't work on files which are already being tracked.
this is the pragmatic solution
@nathanchere, actually gitignore works on files which are already being tracked. Just, in order to make gitignore working one has to "stop tracking" those files git rm -cached filename. This command will remove file from git repository, but will keep it physically in the local repo. And, if it will be added to .gitignore - then it will be not tracked.
Everyone will have to manually do that locally though. It's not an automatic thing we can set on the repository itself.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.