I had a very nasty experience with hosting an MVC 5 application on Azure. I read the following page: http://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
But I could not add the following to my head:
Security Warning: Do not add your secrets to the .config file in your project or check it in the original control. By default, Visual Studio sets the Compose action to Content, which means the file is deployed. For more information, see “Why aren’t all the files in the project folder deployed? Although you can use any extension for the secrets.config file, it’s best to store it .config because the configuration files are not served by IIS. Also note that the AppSettingsSecrets file. config is two levels of directories from the web.config file, so it completely leaves the solution directory. Moving the file from the solution directory, "git add *" will not add it to your repository.
and
Security warning. Unlike the AppSettingsSecrets.config file, the external connections file must be in the same directory as the web.config root file, so you need to take precautions to make sure that you are not checking the source repository .
The problem is this: when I download the Web.config file with external files without being included, I am struck by "The system cannot find the specified file", so to remove it I must include .config files that hit the purpose of Microsoft publishing.
I really really don't get it. I added the connectionStrings and appSetting keys to the Azure portal. What is the correct and safe way to enter my passwords and secrets on the Internet? What am I missing? Is it because I'm working in debug mode?
Accordingly: How to protect passwords stored in web.config?
Nothing to worry about accessing the Web.config file ...
But that just challenges the Microsoft post.
Thanks.
Jose A
source share