Azure deploying a web.config file with connection string in plain text

1
votes

The web.config file within my code just contains my local dev database connection string, and when I deploy my web app to Azure, it is correctly taking my database's connection string from the Connection Strings entry within Application Settings on the Portal. However it is then creating and deploying a web.config file with this string in plain text (I can see this if I check the file via FTP).

Is this the correct behaviour? I don't really want the connection string to be stored in plain text within the deployed web.config file (however secure that may already be).

Is it now a case of encrypting that section of the web.config file via some build/deploy step? I have seen this mentioned in other posts but it's unclear how to do it on Azure.

N.B. Apologies if this has already been asked by I've done a lot of searching and just can't find anything referring directly to the final web.config file deployed.

1
c#asp.netazureweb-configazure-web-app-service
Already try this one? stackoverflow.com/questions/36951231/…LoreX75
It turns out I was stupidly leaving the 'Use this connection string at runtime (update destination web.config)' box ticked on the VS publish to Azure wizard, so this was what was injecting the connection string.DaveU
Also however because I had the 'Execute Code First Migrations' box ticked a second "Context_DatabasePublish" conn string was also being added (a 2nd copy essentially) - so I have decided to run my Code First migrations manually via code rather than using this option and web.config, as outlined here > stackoverflow.com/questions/30280346/…. The result is now just my local dev conn string in the web.config and this gets swapped out at runtime by Azure to the value in my portal application settingsDaveU
Thanks for the link though, that will come in useful no doubt at some point down the lineDaveU
Do you have any update about this thread?Tom Sun - MSFT

1 Answers

1
votes

If we don't want to config the connection string in the Web.config in plain text. We could set the connection string in the Azure Website appsetting to replace it in the web.config.

There is a tutorials about How Application Strings and Connection Strings Work

Developers can store plain vanilla key-value pairs as well as key-value pairs that will be used as connection strings. Since the key-value pairs are stored behind the scenes in the Windows Azure Web Sites configuration store, the key-value pairs don’t need to be stored in the file content of your web application From a security perspective that is a nice side benefit since sensitive information such as Sql connection strings with passwords never show up as cleartext in a web.config or php.ini file.