DEV Community

Vimal
Vimal

Posted on

Securely Managing Secrets in Configuration in .NET Applications

The Problem

Many developers make the mistake of adding connection strings to appsettings file of .Net application. This makes its way in to the repository and becomes a target of database attacks.Storing connection strings as plain text in configuration files and checking them into a repository can lead to security vulnerabilities, as sensitive information like passwords can be easily accessed by unauthorised users.

Possible Solution

.Net provides a number of configuration providers for storing and reading configuration. Storing sensitive configuration items like connection strings in an environment variable is the safest way to avoid connection string or password exposure. Configuration is read from the process that the application is running in.
This code works locally as well on Azure after deployment.

In the case of Azure App Service, just need to add the configuration item and value under Settings > Environment Variables on the App Service in Azure portal.


To add a connection string to environment variables locally, follow these steps:

1. Set Environment Variable in Your Operating System

On Linux or macOS:

You can set the environment variable in your terminal session:

export DBConnectionString="Server=tcp:your-server.database.windows.net,1433;Database=your-database;User ID=your-username;Password=your-password;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
Enter fullscreen mode Exit fullscreen mode

To make it persistent across sessions, add the above line to your shell configuration file (e.g., ~/.bashrc, ~/.zshrc, or ~/.bash_profile), and then reload the file:

source ~/.bashrc
Enter fullscreen mode Exit fullscreen mode

On Windows:

  1. Open the Start Menu and search for "Environment Variables."
  2. Click on Edit the system environment variables.
  3. In the System Properties window, click Environment Variables.
  4. Under User variables or System variables, click New.
  5. Add the following:
    • Variable name: DBConnectionString
    • Variable value: Server=tcp:your-server.database.windows.net,1433;Database=your-database;User ID=your-username;Password=your-password;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
  6. Click OK to save.

2. Verify the Environment Variable

To ensure the environment variable is set correctly, you can print it in your terminal:

On Linux/macOS:

echo $DBConnectionString
Enter fullscreen mode Exit fullscreen mode

On Windows (Command Prompt):

echo %DBConnectionString%
Enter fullscreen mode Exit fullscreen mode

On Windows (PowerShell):

$env:DBConnectionString
Enter fullscreen mode Exit fullscreen mode

3. Access the Environment Variable in Your Application

In your application, you can access the environment variable using Environment.GetEnvironmentVariable:

var connectionString = Environment.GetEnvironmentVariable("DBConnectionString");
Enter fullscreen mode Exit fullscreen mode

4. Test the Configuration

Run your application and ensure the connection string is being picked up correctly. You can log the connection string for debugging purposes:

Console.WriteLine($"SQL Connectionstring: {connectionString}");
Enter fullscreen mode Exit fullscreen mode

Summary

  • Set the environment variable using your operating system's tools.
  • Access the variable in your application using Environment.GetEnvironmentVariable.

Let me know if you need further assistance!

Top comments (0)