1

So I'm currently working as part of a project for a degree course. We have a real client who is having a website developed for them. There are connections to Databases within this site, which are stored in the "appsettings.json" file of the project. This is all local stuff at the moment but will be moving to a live server in the next couple of days.

I am wondering if this JSON file needs to encrypted or abstracted from so that the connection strings, which include the obvious things, IP's, Passwords, Users, can't be accessed by someone attempting to break into the site.

If it does, what is the best practice to go about this?

Cheers

Quasimodo
  • 103
  • 1
  • 8
  • https://stackoverflow.com/a/49696615/11320426 – Luka Rakic May 21 '20 at 12:51
  • If you must put some important information in appsettings.json, then please refer to this article:https://stormpath.com/blog/store-protect-sensitive-data-dotnet-core – LouraQ May 22 '20 at 07:32

1 Answers1

0

This may not be the quick answer you are probably hoping for, but a better way for your app to receive its database credentials (and indeed all secrets) through environment variables.

It sounds like you are a student. Congrats! Those are fun times. As you gain experience, you'll run into many problems such as this that are best handled by sticking to the 12-factor app guidelines. It would be well worth your time to review those.

Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89