Securing data in web.config or appsettings.json

05 Jun 2018 by Kolappan N

It is common for developers to store passwords inside web.config file. The web.config file is generally secure and is not served by IIS server by default. This provides some level of security.

However starting with the .Net core web.config is replaced by appsettings.json. Your webserver might serve the json file by error and it is not safe to store plain text passwords in json.

One way to secure the data is to stop storing critical information in appsettings.json / web.config. But storing data here allows to vary data per environement. And storing database string here is better than hardcoding it inside the code.

The best way to secure this is to encrypt the database string and other data stored in config. You can use a helper function such as the one below to decrypt the keys.

private const readonly string decryptKey = "";
public string GetFromConfig(string key)
   var encryptedText = System.Web.Configuration.WebConfigurationManager.AppSettings[key];
   var plainText = Decrypt(encryptedText, decryptKey);
   return plainText;

In this way the decryption key will be inside the project common for all environments. But you can change the data in the web.config easily without recompiling your app.

You can change the decryptionKey and the corresponding data with each version to improve security.

Tags: .Net Security View Blog Archive