I use smarterasp.net for a web host. I use their control panel to set ASPNETCORE_ENVIRONMENT on my staging server (using pool manager). my appsettings.Staging.json file has the correct connection string (verified 4 different ways). However, my program is failing to read it in.
If I hack the web.config file that gets automatically generated during publishing, then I can make it read in the connection file from appsettings.Staging.json. This both hacky and dangerous...
The same thing is happening on what was supposed to be the production server. Here is the web.config hack for that one:
<aspNetCore processPath="dotnet" arguments=".\TimeReward.Server.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess">
<environmentVariables>
<environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Release" />
</environmentVariables>
</aspNetCore>
As you said, storing the connection string inside the web.config and appsetting.json is not security enough.
For this thing, I suggest you could consider using the Azure Key Vault to store these settings.
You cold set all the settings inside the Azure key vault and inside your project, it just contain a connection string to the Azure key vault. By using it, you could avoid showing the connection string inside your web.config or appsetting.json to improve your application's security.
More details, you could refer to this article.