A few months ago, I created a bot to scan GitHub for publicly exposed Azure Storage connection strings. The bot then notifies the repository owners (to its best effort). What gave me the idea? Well, I accidentally pushed a connection string to GitHub. Even though it was a personal demo project and there's no sensitive data, I thought that it was still a poor practice on my part

Upon launch, the scanner quickly found a multitude of exposed connection strings. Since then, it has been detecting about 100 some valid unique connection strings per month:

Connection strings found per month

The numbers aren't really too surprising. It's so easy to just hard code the connection string somewhere and tell yourself "I'll remove it later. Just let me quickly get the prototype out." Guess what, if you're using GIT and making commits along the way, it's in your commit history. Even though the scanner found connection strings hard coded in all kinds of languages (C#, JavaScript, PHP, you name it), I stilly partially blame the toolings. After all, how can you not put the connection string in your code when there's a connectionStrings section in web.config and app.config. I believe it would be beneficial for app templates to include a default warning comment -- something along the lines of "it's generally not the best practice to put secrets in your code repository."

Environment variables to the rescue! Since then, I forced myself to put all the connection strings, application IDs, and application secrets in environment variables -- even for personal or demo projects. Why environment variables? Because most popular hosting platforms support them. Here are a few reference links to managing app configurations: Azure Web Apps, Azure Cloud Service, Heroku, App Harbor, etc. ‚ÄčI recognize that even environment variables aren't 100% safe. It's probably okay for mid size applications that can afford to have "secrets" in memory for a short period of time. If your application is handling million dollar transactions, I'd recommend looking into something like Azure Key Vault.