Secure Your Application's Config File

In this article you will learn how to secure your Config Application’s Config File.

There are many ways to secure config files. In this article, you will see one of the approaches to securing the config files. If confidential information or data of the application is kept in the config file (like connection string, SMTP server configuration details and error logger information etc.) then we need to secure it.

See the below screenshots (1, 2, 3), about how a hacker can steal the confidential information from config file.

file

code

code

Steps to secure config file

Step 1: Keep only framework related settings in application’s config file

Keep only framework related settings in your web.config / app.config file and remove all confidential information from web.config / app.config file.

Step 2: Create new config file and keep all the confidential information or data

Create one new web.config / app.config file and place all your confidential information in the required sections.

Step 3: Place newly created config file in your hard disk or in any secured server

Place the newly created web.config / app.config file in your hard disk or any secured server
(Let say you have placed your config file in your hard disk D:/).

Step 4: Read the config file

Read the required web.config / app.config section from the physical drive or from the secured server.

Below is the sample code snippet to read the required config sections from the config file.

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Web;  
  5. using System.Web.UI;  
  6. using System.Web.UI.WebControls;  
  7. using System.Configuration;  
  8. using System.Web.Configuration;  
  9. using System.Net.Configuration;  
  10.   
  11. namespace SecurityMisConfigurationWebApp  
  12. {  
  13.     public partial class _Default : Page  
  14.     {  
  15.         protected void Page_Load(object sender, EventArgs e)  
  16.         {  
  17.             var filePath = @"D:\Web.config";  
  18.   
  19.             // read appSettings info  
  20.             var map = new ExeConfigurationFileMap { ExeConfigFilename = filePath };  
  21.             var configFile = ConfigurationManager.OpenMappedExeConfiguration(map, ConfigurationUserLevel.None);  
  22.             AppSettingsSection appSettings = (AppSettingsSection)configFile.GetSection("appSettings");  
  23.             string _gxxxxURL = appSettings.Settings["GxxxxURL"].Value;  
  24.             string _SMTPHost = appSettings.Settings["SMTPHost"].Value;  
  25.   
  26.             // read connectionStrings info  
  27.             ConnectionStringsSection connectionStrings = (ConnectionStringsSection)configFile.GetSection("connectionStrings");  
  28.             string _aaaConnectionString = connectionStrings.ConnectionStrings["aaaConnectionString"].ToString();  
  29.   
  30.             //Mail info  
  31.             MailSettingsSectionGroup _mailInfo = configFile.GetSectionGroup("system.net/mailSettings"as MailSettingsSectionGroup;   
  32.         }  
  33.     }  
  34. }  
Output

output