How to hide connection string, user name, pw when using source control?

Solution 1:

What I find works is to check in a version of the file with blanked or dummy values and then to run:

git update-index --assume-unchanged [fileName]

Git will then stop monitoring changes to that file allowing you to put the real config info into it without fear of checking it in.

If you later make changes that you DO want to check in you can run:

git update-index --no-assume-unchanged [fileName]

Solution 2:

We keep sensitive and/or machine-specific configuration in separate config files, then use configSource to include them like so...

<connectionStrings configSource="cstrings.config"/>

This way you can check in Web.config and a cstrings.config file that has a generic value that can be used on a dev machine. (e.g., (local),...MyAppNameDb...)

For production environments, mark the cstrings.config file as read-only and set up your deployment script so that you don't attempt to write over it. Your production connection string is protected by whatever security you have on that box. This keeps your sensitive strings out of version control.

cstrings.config:

<?xml version="1.0" encoding="utf-8" ?>
<connectionStrings>
    <add name="Default" connectionString="Server=localhost"/>
</connectionStrings>

Solution 3:

You can check in a file like config.sample that contains dummy values. Each developer would then copy that file to config and edit in their own values. You would then put this local file in .gitignore.