0

I'm looking for the most secure and most convenient method to store some critical parameters into a configuration file of my ASP.NET web site (code in C# with Visual Studio 2012, and published with IIS, but I don't know this really matters), such as connection strings, and other parameters.

From what I found, I have the following options :

  • The web.config. That way, only my website will access the settings.

Problem : when I publish the changes of my site from Visual Studio, the parameters may be overwritten (or is there a way not to overwrite them during the publication ?)

  • The machine.config => The publication won't overwrite the existing parameters.

Problem : All websites on the machine will have access to the configuration file (and this may be a security issue)

  • SQL Server : easy to maintain

Problem : needs a Connection String to access the database. Where should I store the Connection String ?

  • Registry : Average maintainability. Impossible to define specific users rights for each category or web site.

  • A simple INI file. Very easy to maintain. But is that secure enough ?

Thanks in advance for your answers.

Improve this question
1
  • 2
    You can indeed prevent Visual Studio from copying web.config during a publish operation. stackoverflow.com/questions/2812905/… I tend to put my app's configuration data into a separate .config file that is referenced from web.config and then prevent VS from publishing it. Commented Jan 20, 2016 at 21:04

1 Answer 1

Reset to default
1

Well for a .net aspx or mvc web.site, the web.config is the standard configuration, and a remote user can't see or download it.

If you want to store sensitive information, you can store encrypted values, using a reversible algorithm.

Have a look at the appSettings section. In this case you can read data with the webconfigurationmanager.appsettings but bear in mind that if you want to change those values, you will need to restart the application to have new values loaded.

Machine.config is more a machine configuration.

SQL SERVER or in general a database could be a way, but again I'd use encryption is data are sensitive. This might be the way to go if you wanted to have values loaded on the fly, without having to reload the application, but it really depends on how you read or cache the values.

About Registry and ini files I wouldn't suggest them for a web app.

Hope it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks a lot for you quick and exhaustive answer.
For anyone coming to this now, here's the rather sparse documentation for encrypting configuration sections: learn.microsoft.com/en-us/previous-versions/aspnet/…

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.