1

I am starting to play around with MVC 6 and I am wondering, with the new config.json structure... are my connection strings safe in the config.json file?

Also, I was watching a tutorial video and I saw the person only put their connection strings in their config.dev.json file, not just the config.json. This will mean the application will not have the connection strings while on the production side, correct? He must have meant to put them in both.

Thanks a lot for the help!

blubberbo
  • 4,441
  • 4
  • 23
  • 36

1 Answers1

1

I think the Working with Multiple Environments document sums it up pretty well.

Basically, you can farm secret settings such as connection strings out into different files. These files would then be ignored by your source control system and every developer will have to manually create the file on their system (it might help to add some documentation on how to setup a project from a fresh clone of SCC).

For production, the compile will include the production settings. Typically, these are provided by a build server where they are locked away from developers. I'm not sure if that is totally automatic with MVC core or you have to add some kind of build step to do it, but that is how it is normally done.

If you are worried about storing connection strings in the production environment securely, you can extend the framework with your own configuration provider.

Community
  • 1
  • 1
NightOwl888
  • 55,572
  • 24
  • 139
  • 212
  • thanks for the answer! that article was really helpful. my question was really just about the security aspect. are the connection strings secure in the config.json file? or are they exposed. – blubberbo Apr 09 '16 at 20:14