Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was reading a tutorial on ASP.NET and third party API’s and it mentioned that the API KEY and SECRET KEY should be stored in the web.config file, for security on production servers, instead of in the classes that use them. However, I’m not quite sure what’s more secure about a web.config file than a class? I understand the convenience of storing it in a config file, but I don’t see the security benefit?
For starters, you can quickly update the API key in the web.config. You’ll have to re-compile the class and re-dploy the class.
You can also encrypt sections of the web.config section starting with asp.net 2.0
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
If you can keep it on the machine.config, that will ensure that it only lives on that machine and no where else. Web.Configs need to be placed in every environment, and although you can keep the web.config different for each machine, that gets to be difficult over time, because you have to keep them all in sync.