Prevent copy/paste of password and warn (#44761)

Rick-Anderson · web-flow · commit 2515b856d3d4 · 2025-01-14T05:06:57.000Z
diff --git a/src/WebSdk/README.md b/src/WebSdk/README.md
@@ -16,6 +16,24 @@ The `ProjectSystem` package defines the following for ASP.NET Core Web Projects:
 - Default [globs](https://learn.microsoft.com/dotnet/core/extensions/file-globbing)
 - Project Capabilities
 
+Password best practices
+======================
+
+For production deployments:
+
+* Use MSBuild to create artifacts, but without deployment, so no credentials are required. Deploy apps as a separate non-MSBuild step that has fewer dependencies and is easier to audit.
+* Use deployment keys with short expiration times. A server in a separate root of trust is used to manage the deployment keys. Secrets aren't exposed to the project, ensuring that even if the project is compromised, the root of trust remains secure.
+
+In this document, replace `<Deploy-/p:Password>` with the deployment password.
+
+[Azure Key Vault](https://learn.microsoft.com/azure/key-vault/general/overview) and [.NET Aspire](https://learn.microsoft.com/dotnet/aspire/get-started/aspire-overview) provide the most secure way to store and retrieve secrets. Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. For .NET Aspire, see [Secure communication between hosting and client integrations](https://learn.microsoft.com/dotnet/aspire/extensibility/secure-communication-between-integrations).
+
+Configuration data guidelines:
+
+* Never store passwords or other sensitive data in configuration provider code or in plain text configuration files.
+* Don't use production secrets in development or test environments.
+* Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
+
 `Microsoft.NET.Sdk.Publish`
 ======================
 
@@ -63,27 +81,27 @@ MSDeploy Publish:
 Using MsBuild with the default profile:
 
 ```
-msbuild  WebApplication.csproj /p:DeployOnBuild=true /p:WebPublishMethod=MSDeploy /p:MSDeployServiceURL=<msdeployUrl> /p:DeployIisAppPath=<IISSiteName> /p:UserName=<username> /p:Password=<DeploymentPassword> /p:PublishProfile=DefaultMSDeploy
+msbuild  WebApplication.csproj /p:DeployOnBuild=true /p:WebPublishMethod=MSDeploy /p:MSDeployServiceURL=<msdeployUrl> /p:DeployIisAppPath=<IISSiteName> /p:UserName=<username> /p:Password=<Deploy-/p:Password> /p:PublishProfile=DefaultMSDeploy
 ```
 
 Using dotnet with the default profile:
 
 ```
-dotnet publish WebApplication.csproj /p:WebPublishMethod=MSDeploy /p:MSDeployServiceURL=<msdeployUrl> /p:DeployIisAppPath=<IISSiteName> /p:UserName=<username> /p:Password=<DeploymentPassword> /p:PublishProfile=DefaultMSDeploy
+dotnet publish WebApplication.csproj /p:WebPublishMethod=MSDeploy /p:MSDeployServiceURL=<msdeployUrl> /p:DeployIisAppPath=<IISSiteName> /p:UserName=<username> /p:Password=<Deploy-/p:Password> /p:PublishProfile=DefaultMSDeploy
 ```
 
 Profile can be added to the following location in the project /Properties/PublishProfiles/<MsDeployProfile.pubxml>. MsDeploy Publish profile samples are available below:
 
 Using MsBuild with a profile:
 
 ```
-msbuild WebApplication.csproj /p:DeployOnBuild=true /p:PublishProfile=<MsDeployProfile name> /p:Password=<DeploymentPassword>
+msbuild WebApplication.csproj /p:DeployOnBuild=true /p:PublishProfile=<MsDeployProfile name> /p:Password=<Deploy-/p:Password>
 ```
 
 Using dotnet with a profile:
 
 ```
-dotnet publish WebApplication.csproj /p:PublishProfile=<MsDeployProfile name> /p:Password=<DeploymentPassword>
+dotnet publish WebApplication.csproj /p:PublishProfile=<MsDeployProfile name> /p:Password=<Deploy-/p:Password>
 ```
 
 MsDeploy Package:
@@ -121,27 +139,27 @@ Zip Deploy:
 Using MsBuild with the default profile:
 
 ```
-msbuild WebApplication.csproj /p:DeployOnBuild=true /p:WebPublishMethod=ZipDeploy /p:PublishUrl=<Destination URL> /p:UserName=<username> /p:Password=<DeploymentPassword> /p:PublishProfile=DefaultZipDeploy
+msbuild WebApplication.csproj /p:DeployOnBuild=true /p:WebPublishMethod=ZipDeploy /p:PublishUrl=<Destination URL> /p:UserName=<username> /p:Password=<Deploy-/p:Password> /p:PublishProfile=DefaultZipDeploy
 ```
 
 Using dotnet with the default profile:
 
 ```
-dotnet publish WebApplication.csproj /p:WebPublishMethod=ZipDeploy /p:PublishUrl=<Destination URL> /p:UserName=<username> /p:Password=<DeploymentPassword> /p:PublishProfile=DefaultZipDeploy
+dotnet publish WebApplication.csproj /p:WebPublishMethod=ZipDeploy /p:PublishUrl=<Destination URL> /p:UserName=<username> /p:Password=<Deploy-/p:Password> /p:PublishProfile=DefaultZipDeploy
 ```
 
 Profile can be added to the following location in the project /Properties/PublishProfiles/<ZipDeploy.pubxml>.
 
 Using MsBuild with a profile:
 
 ```
-msbuild WebApplication.csproj /p:DeployOnBuild=true /p:PublishProfile=<ZipDeployProfile name> /p:Password=<DeploymentPassword>
+msbuild WebApplication.csproj /p:DeployOnBuild=true /p:PublishProfile=<ZipDeployProfile name> /p:Password=<Deploy-/p:Password>
 ```
 
 Using dotnet with a profile:
 
 ```
-dotnet publish WebApplication.csproj /p:PublishProfile=<ZipDeployProfile name> /p:Password=<DeploymentPassword>
+dotnet publish WebApplication.csproj /p:PublishProfile=<ZipDeployProfile name> /p:Password=<Deploy-/p:Password>
 ```
 
 One Deploy:
@@ -151,15 +169,15 @@ Using dotnet with the default profile:
 
 ```
 
-dotnet publish WebJobApplication.csproj /p:WebPublishMethod=OneDeploy /p:PublishUrl=<DestinationUrl> /p:UserName=<username> /p:Password=<DeploymentPassword> /p:PublishProfile=DefaultWebJobOneDeploy
+dotnet publish WebJobApplication.csproj /p:WebPublishMethod=OneDeploy /p:PublishUrl=<DestinationUrl> /p:UserName=<username> /p:Password=<Deploy-/p:Password> /p:PublishProfile=DefaultWebJobOneDeploy
 ```
 
 Profile can be added to the following location in the project /Properties/PublishProfiles/<OneDeploy.pubxml>.
 
 Using dotnet with a profile:
 
 ```
-dotnet publish WebJobApplication.csproj /p:PublishProfile=<OneDeployProfile name> /p:Password=<DeploymentPassword>
+dotnet publish WebJobApplication.csproj /p:PublishProfile=<OneDeployProfile name> /p:Password=<Deploy-/p:Password>
 ```
 
 Sample folder profile:
@@ -198,7 +216,7 @@ Sample MsDeploy Publish Profile:
     <MSDeployPublishMethod>WMSVC</MSDeployPublishMethod>
     <EnableMSDeployBackup>True</EnableMSDeployBackup>
     <UserName>$vramakwebappwithdb</UserName>
-    <Password>DeployPassword</Password>
+    <Password></$Credential></Password>
   </PropertyGroup>
 </Project>
 ```
@@ -257,16 +275,16 @@ Sample MsDeploy Profile With Destination Connection String & EF Migrations:
     <MSDeployPublishMethod>WMSVC</MSDeployPublishMethod>
     <EnableMSDeployBackup>True</EnableMSDeployBackup>
     <UserName>$vramakwebappwithdb</UserName>
-    <Password>DeployPassword</Password>
+    <Password></$Credential></Password>
   </PropertyGroup>
   <ItemGroup>
     <DestinationConnectionStrings Include="ShoppingCartConnection">
-      <Value>Data Source=tcp:dbserver.database.windows.net,1433;Initial Catalog=shoppingcartdbdb_db;User Id=appUser@dbserver;Password=password</Value>
+      <Value>Data Source=tcp:dbserver.database.windows.net,1433;Initial Catalog=shoppingcartdbdb_db;User Id=appUser@dbserver;Password=</$DB_Credential></Value>
     </DestinationConnectionStrings>
   </ItemGroup>
   <ItemGroup>
     <EFMigrations Include="ShoppingCartContext">
-      <Value>Data Source=tcp:dbserver.database.windows.net,1433;Initial Catalog=shoppingcartdbdb_db;User Id=efMigrationUser@dbserver;Password=password</Value>
+      <Value>Data Source=tcp:dbserver.database.windows.net,1433;Initial Catalog=shoppingcartdbdb_db;User Id=efMigrationUser@dbserver;Password=</$DB_Credential></Value>
     </EFMigrations>
   </ItemGroup>
 </Project>
