我该如何保护存储里面的web.config密码？ [英] How can I secure passwords stored inside web.config?

问题描述

我已经加入以下设置我的web.config文件中启动API调用外部系统。所以我存储API URL +用户名+密码如下： -

I have added the following settings inside my web.config file to initiate an API call to external system. So I am storing the API URL + username +password as follow:-

<appSettings>
    <add key="ApiURL" value="https://...../servlets/AssetServlet" />
    <add key="ApiUserName" value="tmsservice" />
    <add key="ApiPassword" value="test2test2" /> 

然后我的操作方法里面，我将构建Web客户端如下引用时这些值： -

Then inside my action method I will be referencing these values when building the web client as follow:-

public ActionResult Create(RackJoin rj, FormCollection formValues)
        {
XmlDocument doc = new XmlDocument();
using (var client = new WebClient())
                {
                    var query = HttpUtility.ParseQueryString(string.Empty);
                    foreach (string key in formValues)
                    {
                        query[key] = this.Request.Form[key];
                    }

                    query["username"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiUserName"];
                    query["password"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiPassword"];

                    string apiurl = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiURL"];

不过，这是我将揭露的用户名和密码，这些可以由用户拍摄的，所以我的问题是我怎么能保证API的用户名和密码？

But in this was I will be exposing the username and password and these can be captured by users, so my question is how I can secure the API username and password?

推荐答案

一般情况下，web.config文件是一个安全的文件和IIS不为它服务，因此它不会被暴露给谁正在请求Web服务器的用户。 Web服务器仅提供文件和web.config中的特定类型是肯定不会EM之一。

Generally, web.config is a secure file and IIS does not serve it, therefore it will not be exposed to users who are making requests to web server. web server only serves specific type of files and web.config is surely not one of em.

经常保存您的数据库连接字符串中它，其中包括密码。现在想象一个塞纳里奥那里的web.config是不安全的。你已经创建了一个重大的安全威胁您的应用程序。

quite often you save your database connection string in it which includes password. now imagine a senario where web.config was not secure. you have created a major security threat to your application.

因此​​，只要特意为你的项目是不是太大了，你不应该担心。

therefore, specially as long as your project is not too big, you should not be worrying about it.

然而，你可能有一个更好的方法，但创建一个名为资源项目和所有的重要信息保存，如设置，consts，枚举等在那里。这将是一个漂亮的和有组织的方法。

Yet, you may have a better approach but creating a project called "Resources" and save all the critical information such as settings, consts, enums and etc in there. that would be a slick and organized approach.

如果您通过导线传递的用户名/密码，虽然（例如，在一个安全的API调用的情况下），你可能想使用https，使被加密旅行一定信息，但有什么做的web.config文件的安全性。

If you are passing the username/password over the wire though (for example in case of a secured api call), you may want to use https to make sure information that are travelling are encrypted but that has nothing to do with the security of web.config file.

这篇关于我该如何保护存储里面的web.config密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！