Link to home
Create AccountLog in
Avatar of curiouswebster
curiouswebsterFlag for United States of America

asked on

SOAP Web service: Is App.config a safe place for a security key?

Is it safe? Are there any  alternatives besides doing a DB lookup?


How about generating it in the source code? 


How else can you protect a 

Thanks.

ASKER CERTIFIED SOLUTION
Avatar of AndyAinscow
AndyAinscow
Flag of Switzerland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of btan
btan

agree with expert on the "Encrypt".


Also store those secret in environment variables or in files outside of the application's source tree. Better still, use a secrets management service, which protects and manages an application's API keys.

https://learn.microsoft.com/en-us/aspnet/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure


Notes for on-premises servers

If you are deploying to on-premises web servers, you can help secure secrets by encrypting the configuration sections of configuration files. As an alternative, you can use the same approach recommended for Azure Websites: keep development settings in configuration files, and use environment variable values for production settings. In this case, however, you have to write application code for functionality that is automatic in Azure Websites: retrieve settings from environment variables and use those values in place of configuration file settings, or use configuration file settings when environment variables are not found.