将敏感信息保留在web.config中 [英] Keeping sensitive information in web.config

问题描述

是否可以安全地将用户名或密码存储在web.config中作为其他参数，例如ASP.NET MVC应用程序中的超时期限?如果不是，是否可以使这些参数安全，以使它们无法在已发布服务器上的web.config文件中进行编码?另一方面，您是否建议将用户名，密码和其他常量参数作为静态值存储在Class(* .cs)文件中?您能为我澄清一下哪种方法更好地存储此类参数吗?

Is it secure to store username or password in web.config as the other parameters e.g. timeout period in ASP.NET MVC applications? If not, is it possible to make these parameters securable so that they cannot be encoded in the web.config file on the published server? On the other hand, would you suggest to store username, password and the other constant parameters in a Class (*.cs) file as static values? Could you please clarify me about which approach is better in order to store such parameters?

推荐答案

永远不要在源代码中存储敏感数据.您可以使用configSource属性替换整个<connectionStrings>标记.

You should never store sensitive data in source code. You can use the configSource attribute to replace the entire <connectionStrings> markup.

<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>

ConnectionStrings.config应该与Web.config位于同一文件夹中.最好保留扩展名.config，因为IIS不提供配置文件. 版本控制系统必须忽略此文件.

ConnectionStrings.config should be in the same folder as Web.config. It's best to keep extension .config, as config files are not served by IIS. This file must be ignored by version control system.

https://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and -天蓝色

这篇关于将敏感信息保留在web.config中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！