question

johnjohn-0472 avatar image
0 Votes"
johnjohn-0472 asked johnjohn-0472 commented

Secure the ClientID & ClientSecret inside our remote event receivers (Inside SharePoint Provider hosted app)

I have developed many remote event receivers and host them inside azure web apps. now the web.config file inside those remote event receivers contain the ClientId & ClientSecret, as follow:-


  <appSettings file="custom.config">
     <add key="ClientId" value="e***7" />
     <add key="ClientSecret" value="h***g=" />
   </appSettings>

Now if a hacker or an end user found those values inside the project code, then the user can control all the sites, as when we register the remote event receivers we grant them full control on the site collection.. so any advice how we can secure those details? so if someone access the source code of the RER then she/he can not view those details?

Thanks

office-sharepoint-online
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MichaelHan-MSFT avatar image
0 Votes"
MichaelHan-MSFT answered johnjohn-0472 commented

Hi @johnjohn-0472,

You may could try to use Azure Key Vault to secure the ClientID & ClientSecret in web.config file.

Here is a blog that would be helpful: Securing Secrets Using Azure Key Vault and Config Encryption

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MichaelHan-MSFT can you provide an example? and if i need to access the Azure Key value, how i will access it using api key ? can you advice more?

0 Votes 0 ·