Reasons to hide connection strings and other sensitive data from Git
Personally I don't like adding connection strings and other sensitive data which as API keys, password, SMTP Details into git repositories.
The main reason for this is the fact its just not secure. If for example you check your live servers connection string (IP address, username, password) then you have pretty much given hackers everything they need to log into your server. I understand there are private repositories and public repositories but I simply believe it is still a bad idea in each case. The more places your sensitive is stored then the more you are at risk.
I especially don't like checking connection strings into Git when I am working with a mean. The reason here is that each team member needs to keep overwriting each others connection strings which wastes time and is a bit annoying. There are other ways around this which I have used in the past like telling Git to store the file but ignore any updates. I just prefer not to store them in Git.
How I used to remove connection strings from Git with Umbraco 8.
How I used to do this for Umbraco 8 is check the web.config into Git but create a separate file for the connections strings which I didn't check into Git. I would then personally send connectionsStrings.config file to my team members joining on the project. I could have done some smart Git stuff like I mentioned above but this always worked well. In addition my team quickly got used to this and automatically knew to include a config file.
So as an example my web.config connection strings section would look like this.
Then I would have a config file called appConnectionStrings.config in my website root. this would look something like this.
<remove name="umbracoDbDSN" />
<add name="umbracoDbDSN" connectionString="server=server-name;database=database-name;user id=username;password='password'" providerName="System.Data.SqlClient" />
Umbraco 9 has no Web.Config so how do we so this in the appSettings.json
Actually I think this way has always been available since earlier versions of .Net. I just already has a solution that worked well for me and never bothered to look at it until now.
Anyway the way we can do this now is by using something called 'App Secrets'. This comes with .Net 5 out of the box and I didn't need to install anything extra. Here is some information regarding this from microsoft.
Here are the simple steps you need to follow to remove your connection string from the appsettings.json and automatically excluding them from Git.
Step 1 - Activating 'App Settings' in Umbraco 9
In Visual Studio right click on your project and look for the button in the context menu called 'Manage User 'Secrets'.
This will create a JSON file that is stored locally on your machine external to the project or git.
Step 2 - Move the appsettings you want to protect
All of the app settings you want to protect need moving from the appSettings.json to the Secrets.json file that has been created. For this tutorial we are just going to protect the connectionStrings. You could potentially move anything into here however.
So your appsettings.json and the Secrets.json should look something like this.
You will notice that my appsettings.json file now no longer contains my connection string.
I can now safely check this into git.
Step 3 - Running and testing the project
So simple re-build your project and run. Even though there is no connection string in the appsettings.json file it will still run. This is because the connection string is now been read from the Secrets.json.
This is very easy to get up and running. Just remember that now the connection string is no longer in the appsettings.json and this will now no longer be stored in Git. This means if you are working with a team when they pull down the project is it not going to work. In-fact one worst. Because it doesn't have a connection string when they start the project Umbraco will think it requires a fresh install and start up the database wizard.
Just remember to let you developers know to follow the same process.
I recommend adding notes to Gits readme file. That's what I will do anyway.
I would add some instructions like the following. I know too well if you dont touch this project for a numkber of months it's likely you might forget the setup.
Sensitive App Settings
Connection strings and other sensitive app settings are stored in 'App Secrets'
To configure these within Visual Studio...
1. Right click on the project 'Umbraco Project'
2. Click on 'Manage User Secrets'
3. Copy and paste in the following json
"umbracoDbDSN": "server=server-name-here;database=database-name-here;user id=username-here;password='password-here'"
4. You should now be able to run the project and the connection string is read from the secrets
If you are looking for some extra information on what else to exclude from git check out my related article called 'Umbraco 9 Git Ignore'.