views:

146

answers:

4

I was reading a tutorial on ASP.NET and third party API's and it mentioned that the API KEY and SECRET KEY should be stored in the web.config file, for security on production servers, instead of in the classes that use them. However, I'm not quite sure what's more secure about a web.config file than a class? I understand the convenience of storing it in a config file, but I don't see the security benefit?

+5  A: 

For starters, you can quickly update the API key in the web.config. You'll have to re-compile the class and re-dploy the class.

You can also encrypt sections of the web.config section starting with asp.net 2.0

http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

If you can keep it on the machine.config, that will ensure that it only lives on that machine and no where else. Web.Configs need to be placed in every environment, and although you can keep the web.config different for each machine, that gets to be difficult over time, because you have to keep them all in sync.

Kevin
A: 

You can encrypt select parts of your web.config.

Here is a blog entry on the super easy way to do that.

http://odetocode.com/blogs/scott/archive/2006/01/08/encrypting-custom-configuration-sections.aspx

Felan
A: 

There isn't a security benefit. There is a convenience benefit, in that you don't have to recompile your classes that use these values in the event that they change.

From a security perspective, the classes have the same level of security. The web.config and any class files (in App_Code) or compiled assemblies (in the bin folder) will not be able to be downloaded (those directories are not mapped to virtual directories which people can download from).

If they are obtained, however, there's really no security on either of them. web.config files are easily readable, and with tools like Reflector, it's easy to see the constants you have in a compiled assembly.

The only benefit that web.config has over a compiled assembly is that you can encrypt sections of the web.config file, as Scott Guthrie points out in his blog.

casperOne
+1  A: 

If it only lives on the web.config on the server, it's not also located on every single developer's machine. This makes it more secure, as your risk of leaking the secrets is diminished.

Yuliy