Safe storage of app secrets for Blazor Webassembly app

Asked 2/7, 2020 at 15:35 Answered 5/8, 2020 at 7:53

blazor blazor-webassembly secret-manager

I am searching on the way for safe storage of app secrets in blazor webassembly application. We can find details for Server Side application as in below MSDN documentation.

https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows

How can we use these kind of secrets for Blazor WebAssembly application which completely runs in client browser?

My basic scenario is, need to keep the passwords, product key (licensing key) information out of application code. For example, we load license inside the static main method of Program.cs.

https://i.sstatic.net/kCrV1.png

 public class Program
    {
        public static async Task Main(string[] args)
        {
            //want to access the product key here and need to avoid hardcoding
            SomeThirdPartyLibrary.RegisterLicense("product-key");
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");

            builder.Services.AddTransient(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });

            await builder.Build().RunAsync();
        }

I have searched in documentation of blazor and not able to find any details for this. Please help me to find the recommended way resolving this in Blazor webassembly.

(for server-side, we have variety of option but for client-side what might be the recommended way)

Sensualism answered 2/7, 2020 at 15:35 Comment(4)

Who do you want to keep it from? The user? – Milkfish 2/7, 2020 at 15:51

My scenario is like, want to get the password from the secret file in the static main method of Program.cs. For that, I am checking multiple ways but I can do it easily in server side but not in client side. – Sensualism 2/7, 2020 at 16:15

If my requirement is wrong, then please suggest me the recommended way of keeping away the app secrets from the application code. Anyone, please help me. – Sensualism 2/7, 2020 at 16:34

Does this answer your question? How to protect/encrypt data stored in session/local storage in Blazor WebAssembly – Colis 31/7, 2022 at 17:18

If you store it on the client, it's not safe.

There is an experimental MS nuget package that claims to make the storage safe by encrypting it - Microsoft.AspNetCore.ProtectedBrowserStorage

You can read how to use it here https://learn.microsoft.com/en-us/aspnet/core/blazor/state-management?view=aspnetcore-3.1

Cordon answered 2/7, 2020 at 16:44 Comment(4)

Thank you. I need to access the details in program.cs before initializing blazor. Any help for this? – Sensualism 2/7, 2020 at 16:56

As per the link, Microsoft.AspNetCore.ProtectedBrowserStorage is only supported in Blazor server projects. – Theisen 3/2, 2021 at 0:2

But how will you be doing calls to a database server? – Quintillion 20/3, 2021 at 18:22

@Quintillion You NEVER give a client access to the database server, it is a security flaw. The client should talk to an API server, and that should connect to the server. – Cordon 22/3, 2021 at 9:57

you can use memory config by using MemoryConfigurationSource

example:

var appsettings = new Dictionary<string, string>()
{
   { "API:Key", "12345" }
};
var config = new MemoryConfigurationSource(InitialData = appsettings);
builder.Configuration.Add(memoryConfig);

then whatever you want to use it, just @inject configuration (in razor pages) or in your class program that will look like:

builder.Configuration.GetValue<string>("API:Key")

Bodega answered 5/8, 2020 at 7:53 Comment(2)

Is this secure? Can a hacker not have access to values saved in MemoryConfigurationSource? – Theisen 3/2, 2021 at 0:3

There's no .NET server-side dependency. The app is fully functioning after it's downloaded to the client. So that means that the app will be calling DB server and you can see the traffic. I am assuming it is unsafe – Quintillion 20/3, 2021 at 18:21

Recommended topics

Hot tags