Are site properties a secure place to store API Keys?

Are site properties a secure place to store API Keys?  

Obviously it does not keep them particularly safe from other developers, they can log into service center and read them there in plain text.

However, when it comes to a live application, are the site properties ever exposed to the end user? Could there be a way that that information was gleaned, if the API key was only being used in server actions?

If this is not a secure solution, then what do other users use? What is best practice here?


Hi Jordan,

Like you already said, anyone being able to look at the site properties can see the keys, as can anyone having access to the database directly. Unless you explicitly expose them, no-one can see them under normal circumstances. Of course, when you're hacked it's a different story :).

If you do not want API keys to be visible, even for those with access to Service Center, you could symetrically encrypt the keys, e.g. with the CryptoAPI.

Interesting, one of my banking client asks the same.

It's nice that Site Properties are saved in database, it does add a layer of protection as database will be heavily guarded.

But Site Properties are also cached in front-end, is that cache secured?

Hi Harlin,

It's not something that can be accessed I presume, it still lives server-side. What kind of securing do you think of?

EDIT: Read to quickly, ignore the previous response.