Menu
i already found information about how to encrypt the web.config with a custom provider and certificate for web roles in order to secure connection strings and other settings.
Is this also possible for web sites? If not how can i secure my connection string for web sites? i know i can manage connection strings in the azure portal but these are also stored in clear text. So in case someone gains access to the web.config or the azure management he will be able to read all data.
Also see:
http://www.heikniemi.net/hardcoded/2013/06/encrypting-connection-strings-in-windows-azure-web-applications/comment-page-1/#comment-173488
http://blogs.msdn.com/b/sqlazure/archive/2010/09/10/10060395.aspx
345
Web. config files are protected by IIS, so clients cannot access it. If you try to retrieve an existing http://mydomain.com/Web.config file, you'll be notified with an “Access denied” error message.
It is always recommended to encrypt the connection string of your application because the data we have there is highly sensitive. It must be secured.
Store key-value string pairs (connection strings and other secrets) in Azure configuration information associated with a website. This sensitive information then never show up as cleartext in a web.config
http://azure.microsoft.com/blog/2013/07/17/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
This should be sufficiently secure - if azure admin credentials get compromised, you lose everything, not just connection strings - an attacker can simply use web sites remote debugging to get any info stepping through the program even if you had a way to encrypt/decrypt connection strings.
-Simon.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
