Skip to the content

Umbraco 9 - Protecting ConnectionStrings from Git

Reasons to hide connection strings and other sensitive data from Git

Personally I don't like adding connection strings and other sensitive data which as API keys, password, SMTP Details into git repositories.

The main reason for this is the fact its just not secure. If for example you check your live servers connection string (IP address, username, password) then you have pretty much given hackers everything they need to log into your server. I understand there are private repositories and public repositories but I simply believe it is still a bad idea in each case. The more places your sensitive is stored then the more you are at risk. 

I especially don't like checking connection strings into Git when I am working with a mean. The reason here is that each team member needs to keep overwriting each others connection strings which wastes time and is a bit annoying. There are other ways around this which I have used in the past like telling Git to store the file but ignore any updates. I just prefer not to store them in Git. 

How I used to remove connection strings from Git with Umbraco 8.

How I used to do this for Umbraco 8 is check the web.config into Git but create a separate file for the connections strings which I didn't check into Git. I would then personally send connectionsStrings.config file to my team members joining on the project. I could have done some smart Git stuff like I mentioned above but this always worked well. In addition my team quickly got used to this and automatically knew to include a config file.

So as an example my web.config connection strings section would look like this.

<connectionStrings configSource="appConnectionStrings.config"/>

Then I would have a config file called appConnectionStrings.config in my website root. this would look something like this.

     <remove name="umbracoDbDSN" />
     <add name="umbracoDbDSN" connectionString="server=server-name;database=database-name;user id=username;password='password'" providerName="System.Data.SqlClient" />

Umbraco 9 has no Web.Config so how do we so this in the appSettings.json

Actually I think this way has always been available since earlier versions of .Net. I just already has a solution that worked well for me and never bothered to look at it until now.

Anyway the way we can do this now is by using something called 'App Secrets'. This comes with .Net 5 out of the box and I didn't need to install anything extra. Here is some information regarding this from microsoft.

Here are the simple steps you need to follow to remove your connection string from the appsettings.json and automatically excluding them from Git.

Step 1 - Activating 'App Settings' in Umbraco 9

In Visual Studio right click on your project and look for the button in the context menu called 'Manage User 'Secrets'.

This will create a JSON file that is stored locally on your machine external to the project or git.

Umbraco 9 App Secrets

Step 2 - Move the appsettings you want to protect

All of the app settings you want to protect need moving from the appSettings.json to the Secrets.json file that has been created. For this tutorial we are just going to protect the connectionStrings. You could potentially move anything into here however.

So your appsettings.json and the Secrets.json should look something like this.

Umbrac9 9 App Secrets Compare

You will notice that my appsettings.json file now no longer contains my connection string.

I can now safely check this into git.

Step 3 - Running and testing the project

So simple re-build your project and run. Even though there is no connection string in the appsettings.json file it will still run. This is because the connection string is now been read from the Secrets.json.

To Finalise....

This is very easy to get up and running. Just remember that now the connection string is no longer in the appsettings.json and this will now no longer be stored in Git. This means if you are working with a team when they pull down the project is it not going to work. In-fact one worst. Because it doesn't have a connection string when they start the project Umbraco will think it requires a fresh install and start up the database wizard.

Just remember to let you developers know to follow the same process.

I recommend adding notes to Gits readme file. That's what I will do anyway.

I would add some instructions like the following. I know too well if you dont touch this project for a numkber of months it's likely you might forget the setup.

Sensitive App Settings
Connection strings and other sensitive app settings are stored in 'App Secrets'
To configure these within Visual Studio...
1. Right click on the project 'Umbraco Project'
2. Click on 'Manage User Secrets'
3. Copy and paste in the following json
     "ConnectionStrings": {
          "umbracoDbDSN": "server=server-name-here;database=database-name-here;user id=username-here;password='password-here'"
4. You should now be able to run the project and the connection string is read from the secrets

If you are looking for some extra information on what else to exclude from git check out my related article called 'Umbraco 9 Git Ignore'.

About the author

David Armitage

.Net MVC Developer
.Net Core Developer
Umbraco Certified Master
Recruitment Professional

Hey Peeps,

I'm an entrepreneur and web developer with a passion for coding. I absolutely love working with Umbraco CMS and appreciate the Umbraco community even more.

I've got 10 years+ .Net experience and 7 years+ experience working in the recruitment industry, both coding and marketing job websites. I wanted to use my skills to help give something back to this awesome community and so I decided to build

My vision & fundamentals

I want this website to be a place where Umbraco Professionals and Umbraco Partners can advertise their services but at the same time I want to filter out all the under-qualified freelancers & agencies that take up the biggest part of other job & freelancer websites. We've all worked hard to gain our Umbraco certifications, partnership status, and help build the Umbraco community to what it is today. I want to see everyone get rewarded for their efforts.

Follow me on social media

If you're an Umbraco professional, partner, employer, recruiter or a passionate Umbraco community builder then I'm more than happy to hear from you. Follow me on my social media channels and please reach out if you have any needs, want help or consultation with anything Umbraco related or just want a general chat.

comments powered by Disqus

Blog Filter

How we can help?

Need help with an Umbraco project?

Need help with a project but not too sure who to approach? Send us your project brief and budget. We will provide a free consultation and can help you gather quotes from the best and most suitable freelancers or agencies.

Looking to hire an Umbraco Professional?

Have you got job vacancy and want to hire an Umbraco professional? Post a job on our website for free. Alternatively let us know your requirements and we will send suitable prospects your way.

Claim your free profile!

Are you an Umbraco Freelance Developer or Umbraco partner that wants to advertise on our site? If you work with Umbraco or registered as an Umbraco partner then you can create a profile for free.

Let's build the Umbraco Community

We're big on building the Umbraco community and we think you guys are awesome! If there's anyway at all we can help then please reach out.