如何保护存储在 web.config 中的密码? [英] How can I secure passwords stored inside web.config?

问题描述

我在 web.config 文件中添加了以下设置以启动对外部系统的 API 调用.所以我按如下方式存储 API URL + 用户名 + 密码:-

I have added the following settings inside my web.config file to initiate an API call to external system. So I am storing the API URL + username + password as follows:-

<appSettings>
    <add key="ApiURL" value="https://...../servlets/AssetServlet" />
    <add key="ApiUserName" value="tmsservice" />
    <add key="ApiPassword" value="test2test2" /> 

然后在我的操作方法中，我将在构建 Web 客户端时引用这些值，如下所示:-

Then inside my action method I will be referencing these values when building the web client as follows:-

public ActionResult Create(RackJoin rj, FormCollection formValues)
        {
           XmlDocument doc = new XmlDocument();
           using (var client = new WebClient())
                {
                    var query = HttpUtility.ParseQueryString(string.Empty);
                    foreach (string key in formValues)
                    {
                        query[key] = this.Request.Form[key];
                    }

                    query["username"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiUserName"];
                    query["password"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiPassword"];

                    string apiurl = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiURL"];

但在这里我将暴露用户名和密码，这些可以被用户捕获，所以我的问题是如何保护 API 用户名和密码?

But in this was I will be exposing the username and password and these can be captured by users, so my question is how I can secure the API username and password?

推荐答案

一般来说，web.config 是一个安全文件，IIS 不提供它，因此它不会暴露给向 Web 服务器发出请求的用户.Web 服务器仅提供特定类型的文件，而 web.config 肯定不是其中之一.

Generally, web.config is a secure file and IIS does not serve it, therefore it will not be exposed to users who are making requests to web server. Web server only serves specific type of files and web.config is surely not one of 'em.

您经常将包含密码的数据库连接字符串保存在其中.现在想象一个 web.config 不安全的场景.您对您的应用程序造成了重大安全威胁.

Quite often you save your database connection string in it which includes password. Now imagine an scenario where web.config was not secure. You have created a major security threat to your application.

所以，特别是只要你的项目不是太大，就不用担心.

Therefore, specially as long as your project is not too big, you should not be worrying about it.

然而，您可能有更好的方法，但创建一个名为Resources"的项目并将所有关键信息(如设置、常量、枚举等)保存在其中.这将是一种巧妙而有组织的方法.

Yet, you may have a better approach but creating a project called "Resources" and save all the critical information such as settings, consts, enums and etc in there. That would be a slick and organized approach.

如果您通过网络传递用户名/密码(例如在安全 API 调用的情况下)，您可能需要使用 https 来确保传输的信息是加密的，但与此无关web.config 文件的安全性.

If you are passing the username/password over the wire though (for example in case of a secured API call), you may want to use https to make sure that information that are travelling are encrypted but that has nothing to do with the security of web.config file.

这篇关于如何保护存储在 web.config 中的密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！