.net core connection string in source code

Question

I'm working through the .net core samples for Entity Framework.

The default samples include the following inside the constructor for the Database Context.

#warning To protect potentially sensitive information in your connection string, you should move it out of source code. 
See http://go.microsoft.com/fwlink/?LinkId=723263 for guidance on storing connection strings.
optionsBuilder.UseSqlServer("Server=servername");

It wasn't mentioned in the link as the warning had stated, I have provided this feedback to Microsoft. https://github.com/aspnet/EntityFramework.Docs/issues/1269

Is there a preferred practice for where to store the sql connection string? If the connection string is in appsettings.json it would still be tracked in source code management. Is the best solution to include an untracked file from appsettings.json?

You should store them in App.config or Web.config depending on the type of app are you creating. You can retrieve them using ConfigurationManager. — BillRuhl
– BillRuhl, Commented Feb 5, 2019 at 22:17

Sangman · Accepted Answer · 2019-02-05 22:18:45Z

1

If an attacker has access to your source code information you're screwed regardless.

Compiled .NET code can be decompiled allowing an attacker to reveal sensitive data, such as a db user password.

Config files can be encrypted before release to hide that sensitive data. See https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files#encrypting-configuration-file-sections-using-protected-configuration

answered Feb 5, 2019 at 22:18

Sangman

16810 bronze badges

Sign up to request clarification or add additional context in comments.

Collectives™ on Stack Overflow

.net core connection string in source code

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related