Reputation: 45
Is it safe to hardcode a password in web.config?
How safe is it to write the password in the web.config of an asp.net-project like this way:
<mailSettings>
<smtp from="[email protected]">
<network host="smtp.web.com"
port="123"
userName="[email protected]"
password="12345"
enableSsl="true"/>
</smtp>
</mailSettings>
I'm not too familiar with internet security, so if this is not safe, are there any alternatives?
Upvotes: 4
Views: 3616
Answers (1)
Reputation: 971
Look into encrypting web.config sections.
https://msdn.microsoft.com/en-us/library/bb986855.aspx
https://stackoverflow.com/a/6224769/461822
Something like
"aspnet_regiis.exe -pef "system.net/mailSettings/smtp" "C:\inetpub\wwwroot\website" -prov RSAProtectedConfigurationProvider"
Do think about <machineKey> value when deploying to a web-farm.
If you're setting <machineKey> in your web.config, you're basically giving away the key to decrypt.
So like David said in comments above if you're comfortable with sharing secrets with people that has access to your code then its fine.
If not, create a test smtp environment where you don't mind sharing credentials and put those credentials in web.config.
Or look into tools like Papercut for local testing and change the values in the web.config right before/after deploying.
Upvotes: 3
Related Questions
- How can I secure passwords stored inside web.config?
- protect (encrypt) password in the web.config file (asp.net)
- How to add a password to Web.config and encrypt it
- Is the web.config more secure than the database?
- What is the potential security risk of including the db password in the web.config
- Encrypting Web.config and installing
- Is web.config protected by IIS?
- Is it bad practice to put sensitive information in a Web.config file?
- making web.config password protected and use it in application
- Is encrypting web.config pointless?