tags:

views:

146

answers:

4
+2  Q: 

Is web.config more secure than a class?

I was reading a tutorial on ASP.NET and third party API's and it mentioned that the API KEY and SECRET KEY should be stored in the web.config file, for security on production servers, instead of in the classes that use them. However, I'm not quite sure what's more secure about a web.config file than a class? I understand the convenience of storing it in a config file, but I don't see the security benefit?

+5  A: 

For starters, you can quickly update the API key in the web.config. You'll have to re-compile the class and re-dploy the class.

You can also encrypt sections of the web.config section starting with asp.net 2.0

http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

If you can keep it on the machine.config, that will ensure that it only lives on that machine and no where else. Web.Configs need to be placed in every environment, and although you can keep the web.config different for each machine, that gets to be difficult over time, because you have to keep them all in sync.

Kevin  2010-04-16 17:48:16
A: 

You can encrypt select parts of your web.config.

Here is a blog entry on the super easy way to do that.

http://odetocode.com/blogs/scott/archive/2006/01/08/encrypting-custom-configuration-sections.aspx

Felan  2010-04-16 17:49:46
A: 

There isn't a security benefit. There is a convenience benefit, in that you don't have to recompile your classes that use these values in the event that they change.

From a security perspective, the classes have the same level of security. The web.config and any class files (in App_Code) or compiled assemblies (in the bin folder) will not be able to be downloaded (those directories are not mapped to virtual directories which people can download from).

If they are obtained, however, there's really no security on either of them. web.config files are easily readable, and with tools like Reflector, it's easy to see the constants you have in a compiled assembly.

The only benefit that web.config has over a compiled assembly is that you can encrypt sections of the web.config file, as Scott Guthrie points out in his blog.

casperOne  2010-04-16 17:50:49
+1  A: 

If it only lives on the web.config on the server, it's not also located on every single developer's machine. This makes it more secure, as your risk of leaking the secrets is diminished.

Yuliy  2010-04-16 17:50:59

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?