0

I am creating an email service using ASP.NET Core. Here I am adding my email credentials to appsettings.json:

"SmtpSettings": {
  "Host": "smtp.office365.com",
  "Port": xxx,
  "Username": "[email protected]",
  "Password": "password",
  "EnableSsl": true
}

Is this secure to save these in appsettings.json? What are ways to improve security of credentials?

For now, I am using appsettings.json.

Improve this question
3
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. Commented Sep 12 at 4:28
  • 1
    Well, if this is shared with other devs, it is not secure. This could be stored with azure key vault for instance Commented Sep 12 at 5:01
  • The ASP.NET Core docs already cover secrets management. No, this isn't secure and the steps you take depend on what you're trying to protect against. Commented Sep 12 at 6:43

3 Answers 3

Reset to default
2

If the appsettings.json file is added to source control (i.e., Git, Bitbucket), your credentials may be exposed to anyone with access to the repository.

There are several ways to improve the security:

  1. Environment Variables: Store sensitive data like your SMTP details, credentials or connection strings in Environment Variables.
"SmtpSettings": {
  "Host": "smtp.office365.com",
  "Port": xxx,
  "Username": "%SMTP_USERNAME%",
  "Password": "%SMTP_PASSWORD%",
  "EnableSsl": true
}
  1. Third-Party (AWS SSM): ASP.NET Core allows you to build custom configuration providers, which could load credentials from other secure sources like databases or a third-party (AWS SSM).
var builder = new ConfigurationBuilder()
    .AddJsonFile("appsettings.json")
    .AddEnvironmentVariables()
    .AddUserSecrets<Program>();
var configuration = builder.Build();
  1. Azure Key Vault: If your app is hosted on Azure, you can use Azure Key Vault. You can access these secrets through the Azure SDK.
"SmtpSettings": {
  "Host": "smtp.office365.com",
  "Port": xxx,
  "Username": "@AzureKeyVault:SMTP_Username",
  "Password": "@AzureKeyVault:SMTP_Password",
  "EnableSsl": true
}

However, if you must store sensitive data in appsettings.json (or other files), ensure that it is encrypted. You could encrypt your sensitive fields before saving them to the configuration and decrypt them again at runtime. This is not commonly recommended because it adds complexity, but it can be an option for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

😡 This is not secure:

"SmtpSettings": {
  "Host": "smtp.office365.com",
  "Port": 111,
  "Username": "[email protected]",
  "Password": "mymymy123*123*123",
  "EnableSsl": true
}

😇 This is more secure:

"SmtpSettings": {
  "Host": "smtp.office365.com",
  "Port": 111,
  "Username": "[email protected]",
  "Password": "hashedPassword(like: 7uhjk43c356xrer1)",
  "EnableSsl": true
}

You should not set critical datas like passwords, (even usernames), in your config files. It can be dockerfile or appsettings.json. You should not.

You must create encrypted values. When you read config, you convert hashed data to raw value.

✍️ See this: https://stackoverflow.com/a/10177020/19262548

Improve this answer

Comments

0

I think this is an x/y problem. Your real question is how you send email secure and it looks like you have Office 365.

Look into doing with Microsoft Graph, you most likely need a Tenant and a Secret.

Improve this answer

1 Comment

Yes we have o365. But this email should auto generated and send through a web app. Angular + Asp.net

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.