The Problem
Many developers make the mistake of adding connection strings to appsettings file of .Net application. This makes its way in to the repository and becomes a target of database attacks.Storing connection strings as plain text in configuration files and checking them into a repository can lead to security vulnerabilities, as sensitive information like passwords can be easily accessed by unauthorised users.
Possible Solution
.Net provides a number of configuration providers for storing and reading configuration. Storing sensitive configuration items like connection strings in an environment variable is the safest way to avoid connection string or password exposure. Configuration is read from the process that the application is running in.
This code works locally as well on Azure after deployment.
In the case of Azure App Service, just need to add the configuration item and value under Settings > Environment Variables
on the App Service in Azure portal.
To add a connection string to environment variables locally, follow these steps:
1. Set Environment Variable in Your Operating System
On Linux or macOS:
You can set the environment variable in your terminal session:
export DBConnectionString="Server=tcp:your-server.database.windows.net,1433;Database=your-database;User ID=your-username;Password=your-password;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
To make it persistent across sessions, add the above line to your shell configuration file (e.g., ~/.bashrc
, ~/.zshrc
, or ~/.bash_profile
), and then reload the file:
source ~/.bashrc
On Windows:
- Open the Start Menu and search for "Environment Variables."
- Click on Edit the system environment variables.
- In the System Properties window, click Environment Variables.
- Under User variables or System variables, click New.
- Add the following:
-
Variable name:
DBConnectionString
-
Variable value:
Server=tcp:your-server.database.windows.net,1433;Database=your-database;User ID=your-username;Password=your-password;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
-
Variable name:
- Click OK to save.
2. Verify the Environment Variable
To ensure the environment variable is set correctly, you can print it in your terminal:
On Linux/macOS:
echo $DBConnectionString
On Windows (Command Prompt):
echo %DBConnectionString%
On Windows (PowerShell):
$env:DBConnectionString
3. Access the Environment Variable in Your Application
In your application, you can access the environment variable using Environment.GetEnvironmentVariable
:
var connectionString = Environment.GetEnvironmentVariable("DBConnectionString");
4. Test the Configuration
Run your application and ensure the connection string is being picked up correctly. You can log the connection string for debugging purposes:
Console.WriteLine($"SQL Connectionstring: {connectionString}");
Summary
- Set the environment variable using your operating system's tools.
- Access the variable in your application using
Environment.GetEnvironmentVariable
.
Let me know if you need further assistance!
Top comments (0)