Merge pull request #291740 from craigshoemaker/webps/ropc/disclaimer

[Web PubSub] Update: Add connection string disclaimer

Author: JamesJBarnett

articles/azure-web-pubsub/howto-integrate-app-service.md

@@ -12,6 +12,8 @@ ms.date: 05/17/2023
 
 A new class of applications is reimagining what modern work could be. While [Microsoft Word](https://www.microsoft.com/microsoft-365/word) brings editors together, [Figma](https://www.figma.com) gathers up designers on the same creative endeavor. This class of applications builds on a user experience that makes us feel connected with our remote collaborators. From a technical point of view, user's activities need to be synchronized across users' screens at a low latency.
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Overview
 In this how-to guide, we take a cloud-native approach and use Azure services to build a real-time collaborative whiteboard and we deploy the project as a Web App to Azure App Service. The whiteboard app is accessible in the browser and allows anyone can draw on the same canvas.
 
@@ -81,6 +83,9 @@ In order to follow the step-by-step guide, you need
     ```
 
 1. Show and store the value of `primaryConnectionString` somewhere for later use.
+
+    [!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
     ```azurecli-interactive
     az webpubsub key show \
       --name "whiteboard-app" \

articles/azure-web-pubsub/includes/cli-awps-connstr.md

@@ -2,13 +2,10 @@
 author: vicancy
 ms.service: azure-web-pubsub
 ms.topic: include
-ms.date: 08/06/2021
+ms.date: 12/10/2024
 ms.author: lianwei
 ---
 
-> [!IMPORTANT]
-> A connection string includes the authorization information required for your application to access Azure Web PubSub service. The access key inside the connection string is similar to a root password for your service. In production environments, always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.
-
 Use the Azure CLI [az webpubsub key](/cli/azure/webpubsub#az-webpubsub-key) command to get the **ConnectionString** of the service.  Replace the `<your-unique-resource-name>` placeholder with the name of your Azure Web PubSub instance.
 
 ```azurecli

articles/azure-web-pubsub/includes/web-pubsub-connection-string-security-comment.md

@@ -0,0 +1,9 @@
+---
+author: vicancy
+ms.service: azure-web-pubsub
+ms.topic: include
+ms.date: 12/10/2024
+ms.author: lianwei
+---
+
+Raw connection strings appear in this article for demonstration purposes only. In production environments, always protect your access keys. Use Azure Key Vault to manage and rotate your keys securely and [secure your connection with `WebPubSubServiceClient`](../howto-create-serviceclient-with-net-and-azure-identity.md).

articles/azure-web-pubsub/includes/web-pubsub-connection-string-security.md

@@ -0,0 +1,14 @@
+---
+author: vicancy
+ms.service: azure-web-pubsub
+ms.topic: include
+ms.date: 12/10/2024
+ms.author: lianwei
+---
+
+> [!IMPORTANT]
+> Raw connection strings appear in this article for demonstration purposes only.
+>
+> A connection string includes the authorization information required for your application to access Azure Web PubSub service. The access key inside the connection string is similar to a root password for your service. In production environments, always protect your access keys. Use Azure Key Vault to manage and rotate your keys securely and [secure your connection with `WebPubSubServiceClient`](../howto-create-serviceclient-with-net-and-azure-identity.md).
+>
+> Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.

articles/azure-web-pubsub/quickstart-serverless.md

@@ -23,6 +23,8 @@ In this tutorial, you learn how to:
 > - Configure Azure Authentication
 > - Configure Web PubSub Event Handler to route events and messages to the application
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Prerequisites
 
 # [JavaScript Model v4](#tab/javascript-v4)
@@ -789,6 +791,8 @@ Use the following commands to create these items.
 
 1. Configure the `WebPubSubConnectionString` for the function app:
 
+   [!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
    First, find your Web PubSub resource from **Azure Portal** and copy out the connection string under **Keys**. Then, navigate to Function App settings in **Azure Portal** -> **Settings** -> **Configuration**. And add a new item under **Application settings**, with name equals `WebPubSubConnectionString` and value is your Web PubSub resource connection string.
 
 ## Configure the Web PubSub service `Event Handler`

articles/azure-web-pubsub/quickstarts-event-notifications-from-clients.md

@@ -21,6 +21,8 @@ In this quickstart guide, we learn about the event system of Web PubSub so that
 
 :::image type="content" source="media/quickstarts-event-notifications-from-clients/notification.gif" alt-text="GIF of application server receiving client events.":::
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Prerequisites
 - A Web PubSub resource. If you haven't created one, you can follow the guidance: [Create a Web PubSub resource](./howto-develop-create-instance.md)
 - A code editor, such as Visual Studio Code
@@ -142,6 +144,9 @@ npm install -g @azure/web-pubsub-tunnel-tool
 ```
 
 #### 2. Use the service connection string and run
+
+[!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
 ```bash
 export WebPubSubConnectionString="<your connection string>"
 awps-tunnel run --hub myHub1 --upstream http://localhost:8080

articles/azure-web-pubsub/quickstarts-push-messages-from-server.md

@@ -20,6 +20,8 @@ This quickstart guide demonstrates how to
 > * **subscribe** to messages from an application server
 > * **push data** from an application server to **all** connected clients
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Prerequisites
 
 - A Web PubSub resource. If you haven't created one, you can follow the guidance: [Create a Web PubSub resource](./howto-develop-create-instance.md)
@@ -388,6 +390,8 @@ For this quickstart guide, we'll get it from Azure portal as shown below.
 #### Run the server program
 Run the following commands in a ***new*** command shell.
 
+[!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
 ```bash
 # Set the environment variable for your connection string.
 export WebPubSubConnectionString="<Put your connection string here>" 

articles/azure-web-pubsub/reference-client-sdk-java.md

@@ -24,6 +24,8 @@ As shown in the diagram, your clients establish WebSocket connections with your
 
 :::image type="content" source="./media/reference-client-sdk-java/flow-overview.png" alt-text="Screenshot showing clients establishing WebSocket connection with a Web PubSub resource":::
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Getting started
 
 ### Prerequisites
@@ -66,6 +68,8 @@ WebPubSubClient client = new WebPubSubClientBuilder()
 
 In production, a client usually fetches the `Client Access URL` from a negotiation server. The server holds the `connection string` and generates the `Client Access URL` through `WebPubSubServiceClient`. As a sample, the code snippet just demonstrates how to generate the `Client Access URL` inside a single process.
 
+[!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
 ```java readme-sample-createClientFromCredential
 // WebPubSubServiceAsyncClient is from com.azure:azure-messaging-webpubsub
 // create WebPubSub service client

articles/azure-web-pubsub/reference-client-sdk-javascript.md

@@ -23,6 +23,8 @@ As shown in the diagram, your clients establish WebSocket connections with your
 
 :::image type="content" source="./media/reference-client-sdk-javascript/flow-overview.png" alt-text="Screenshot showing clients establishing WebSocket connection with a Web PubSub resource":::
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Getting started
 
 ### Prerequisites
@@ -117,6 +119,8 @@ In production, clients usually fetch `Client Access URL` from an application ser
 #### 1. Application server 
 The code snippet is an example of an application server exposes a `/negotiate` endpoint and returns `Client Access URL`.
 
+[!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
 ```js
 // This code snippet uses the popular Express framework
 const express = require('express');

articles/azure-web-pubsub/reference-rest-api-data-plane.md

@@ -14,6 +14,8 @@ ms.date: 06/09/2022
 
 As illustrated by the above workflow graph, and also detailed workflow described in [internals](./concept-service-internals.md), your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.
 
+[!INCLUDE [Connection string security](includes/web-pubsub-connection-string-security.md)]
+
 ## Using REST API
 
 ### Authenticate via Azure Web PubSub Service AccessKey
@@ -39,6 +41,8 @@ Below claims are required to be included in the JWT token.
 
 A pseudo code in JS:
 
+[!INCLUDE [Connection string security comment](includes/web-pubsub-connection-string-security-comment.md)]
+
 ```js
 const bearerToken = jwt.sign({}, connectionString.accessKey, {
   audience: request.url,