How can I secure passwords stored inside web.config?

Question

I have added the following settings inside my web.config file to initiate an API call to external system. So I am storing the API URL + username + password as follows:-

<appSettings>     <add key="ApiURL" value="https://...../servlets/AssetServlet" />     <add key="ApiUserName" value="tmsservice" />     <add key="ApiPassword" value="test2test2" />  

Then inside my action method I will be referencing these values when building the web client as follows:-

public ActionResult Create(RackJoin rj, FormCollection formValues)         {            XmlDocument doc = new XmlDocument();            using (var client = new WebClient())                 {                     var query = HttpUtility.ParseQueryString(string.Empty);                     foreach (string key in formValues)                     {                         query[key] = this.Request.Form[key];                     }                      query["username"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiUserName"];                     query["password"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiPassword"];                      string apiurl = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiURL"]; 

But in this was I will be exposing the username and password and these can be captured by users, so my question is how I can secure the API username and password?

Answer 1

You can encrypt the web.config with aspnet_regiis. This is to stop people with access to your server from reading sensitive information.

By the way, I would put your config settings inside a class, that can then be injected into your controllers - it will make unit testing easier.