[英]Securing web.config settings
We are developing an ASP.NET MVC 5 application.我们正在开发一个 ASP.NET MVC 5 应用程序。 We hired some remote developers to help us with the project.
我们聘请了一些远程开发人员来帮助我们完成该项目。
The web.config file contains connection strings and app settings that we don't want to share with these remote developers. web.config 文件包含我们不想与这些远程开发人员共享的连接字符串和应用程序设置。 To work on our application, these developers remote into a development desktop that we control.
为了处理我们的应用程序,这些开发人员远程进入我们控制的开发桌面。
What is the best practice for securing sensitive information in web.config, so that developers can still run and debug application but not read the sensitive info in web.config?在 web.config 中保护敏感信息的最佳实践是什么,以便开发人员仍然可以运行和调试应用程序,但不能读取 web.config 中的敏感信息?
Encrypting the web.config
in a development environment is pointless.在开发环境中加密
web.config
毫无意义。 The only way to truely hide the information from the developers is not to give it to them in the first place.真正向开发人员隐藏信息的唯一方法是首先不要将其提供给他们。
.config
files so they are not checked into source control..config
文件中来实现这一点,这样它们就不会被签入源代码管理。 TIP: Ignore the file with the actual passwords and add another one with the same name and an extension such as .config.example
that is checked in to give the developer instructions on how to setup the file on their local system (which is a helpful reminder regardless of who sets up the system from a clone of the source control repository)..config.example
已签入以向开发人员提供有关如何在其本地系统上设置文件的说明(这很有帮助)提醒无论是谁从源控制存储库的克隆设置系统)。 There is really no reason why a developer should even be given a chance to see sensitive production data such as passwords and private keys.真的没有理由让开发人员有机会查看敏感的生产数据,例如密码和私钥。
Like Ingenioushax
suggested, the standard way of encrypting sections of web.config is using aspnet_regiis.就像
Ingenioushax
建议的那样,加密 web.config 部分的标准方法是使用 aspnet_regiis。 Here is a tutorial . 这是一个教程。
How are you deploying your application?你如何部署你的应用程序?
If you use a tool such as Octopus Deploy - that only your onshore team have access to - you can use that to store any sensitive settings.如果您使用Octopus Deploy 之类的工具 - 只有您的陆上团队可以访问 - 您可以使用它来存储任何敏感设置。 These will get inserted into your configuration file during deployment.
这些将在部署期间插入到您的配置文件中。
In Octopus Deploy these are known as configuration variables .在 Octopus Deploy 中,这些被称为配置变量。
This assumes that the sensitive settings are for environments other than ones that the developers will use themselves (Production and UAT, for example).这假定敏感的设置是比那些开发者会使用他们自己(生产和UAT,例如)其他环境。
您可以将配置变量存储在环境变量中,并在运行时将它们读入应用程序 - 这更好,因为每个开发人员和环境都可以拥有自己的配置,这些配置永远不会与其他人发生冲突。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.