As a developer, you will undoubtedly work with sensitive information such as passwords. How you handle this information during development is very important. In the past, I have received copies of a client's live database to use for testing. This does pose a very real security risk for your client.
Often, we keep settings in a web.config
file (when working with web applications). For this example, though, I will be demonstrating a console application that uses an App.config
file. The same logic can be applied to a web.config
file too.
Creating a console application is the quickest way to demonstrate this recipe. If, however, you want to follow along using a web application (and securing a web.config
file), you can do so.
App.config
file. This is the file that contains the sensitive data:App.config
file, you will see that within the appSettings
tag there is a key added called Secret
. This information should probably not be in the App.config
to start off with. The problem here is that it might be checked into your source control. Imagine that on GitHub?<?xml version="1.0" encoding="utf-8"?> <configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/> </startup> <appSettings> <add key="name" value="Dirk"/> <add key="lastname" value="Strauss"/> <add key="Secret" value="letMeIn"/> </appSettings> </configuration>
App.config
file into another file. To do this, we specify a path to a file that will contain the sensitive data we want to remove from the App.config
file:<appSettings file="C: empsecretsecret.config">
You might be wondering, why not simply just encrypt the information? Well, that is a given really. The reason this value is in plain text is just to demonstrate a concept here. You would probably encrypt this value anyway in a real-world situation. You would not, however, want this sensitive information sitting on a server in a code repository somewhere, even if it is encrypted. Be safe, move it out of your solution.
App.config
file property. Create your secret.config
file and open it up for editing:appSettings
section and add the Secret
key to it. What happens now is that when your console application runs, it reads the appSettings
section in your solution and finds the reference to the secret file. It then looks for the secret file and merges it with the App.config
in your solution:System.Configuration
to your references:Program.cs
file, add the following using
statement:using System.Configuration;
Secret
key setting from your App.config
file. Only this time, it will read the merged file, which is made up of your App.config
and your secret.config
file:string sSecret = ConfigurationManager.AppSettings["Secret"]; Console.WriteLine(sSecret); Console.ReadLine();
secret.config
file, which was merged with the App.config
file at runtime:18.227.111.197