Secure the ClientID & ClientSecret inside our remote event receivers (Inside SharePoint Provider hosted app)

john john 946 Reputation points
2021-04-17T21:25:14.89+00:00

I have developed many remote event receivers and host them inside azure web apps. now the web.config file inside those remote event receivers contain the ClientId & ClientSecret, as follow:- 

 <appSettings file="custom.config">
    <add key="ClientId" value="e***7" />
    <add key="ClientSecret" value="h***g=" />
  </appSettings>

Now if a hacker or an end user found those values inside the project code, then the user can control all the sites, as when we register the remote event receivers we grant them full control on the site collection.. so any advice how we can secure those details? so if someone access the source code of the RER then she/he can not view those details?

Thanks

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,696 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MichaelHan-MSFT 18,016 Reputation points
    2021-04-19T05:52:16.527+00:00

    Hi @john john ,

    You may could try to use Azure Key Vault to secure the ClientID & ClientSecret in web.config file.

    Here is a blog that would be helpful: Securing Secrets Using Azure Key Vault and Config Encryption

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.