Overview

Sensitive configuration settings, like API keys and connection strings, are often stored in web.config. This can pose a security risk. This guide shows how to move sensitive settings to an external file and secure them.

Steps to Secure Configuration Settings

1. Create AppSettings.config

Create a new configuration file (e.g., AppSettings.config) to store sensitive settings:

Example AppSettings.config:

key="DbConnectionString" value="Server=localhost;Database=myDb;User Id=myUser;Password=myPass;" />

2. Update web.config to Reference AppSettings.config

Modify web.config to use the configSource attribute to refer to the new external configuration file:

Updated web.config:

configSource="AppSettings.config" />

3. Secure the AppSettings.config File

Ensure that the AppSettings.config file is only accessible by the application and authorized users:

  • Set file permissions so that only the necessary accounts (e.g., application pool identity) have access to the file.
  • Remove unnecessary permissions for other users.

4. Encrypt Sensitive Data (Optional)

Use ASP.NET's aspnet_regiis tool to encrypt sensitive sections of the configuration files (like connectionStrings):

  • Encrypt connection strings: 
aspnet_regiis -pef "connectionStrings" "C:\Path\To\Your\WebApp"
  • Decrypt connection strings: 
aspnet_regiis -pdf "connectionStrings" "C:\Path\To\Your\WebApp"

5. (Optional) Use a Custom Configuration Provider

For additional security, use services like Azure Key Vault or AWS Secrets Manager to securely store and retrieve sensitive information programmatically.

Benefits of Externalizing Configuration

  1. Security: Sensitive data is no longer in web.config, reducing the risk of exposure.
  2. Manageability: Configuration settings are easier to maintain and modify in a separate file.
  3. Environment Flexibility: Different environments (development, production) can use different configuration files.

Best Practices

  • Do not store sensitive files in version control. Use .gitignore to exclude files like AppSettings.config.
  • Use environment-specific files (e.g., AppSettings.Dev.config, AppSettings.Prod.config) for better environment management.
  • Consider using secure storage services (e.g., Azure Key Vault) for sensitive data instead of storing it in config files.

By externalizing sensitive settings to a secure file and encrypting critical sections, you improve the security and flexibility of your .NET application, making it easier to manage and deploy safely.

If you found this helpful, consider supporting my work at ☕ Buy Me a Coffee.