I am working on a c# program that retrieves information from a webservice and it uses an API key for authentication.
Currently I hardcoded this value in my program, but since I would like to keep the code in a public github repository I have to remove this by hand before committing it.
What is a more automated way of preventing me from accidentally committing with the API key still in the code?
I was thinking of creating a script that adds the secrets in using pre/post-build command execute options in Visual Studio. This way I never have to keep the API key in the code and it will be removed after building so committing it by accident will never happen.
Use a configuration file or the Windows Registry.
I’d also recommend encrypting it, on Windows you can use the Data Protection API (DPAPI). .Net 2.0+ has a class call ProtectedData that’s very simple to use. This way if you do commit your configuration the key is still encrypted and will only work on your machine or even for your user on that machine depending on how you scope your data protection. You’ll want to make some way for people to enter in a key to use on their machines though.