I am very restricted with what technology stack I can use for this project...
I have a static site (SPA) hosted on IIS with ARR and URL-Rewrite (module) rules setup to call an external API from the server and return the results to the client.
It works like this:
So far everything works as long as I store the API token in the serverVariables of the web.config file where the url-rewrite module can see it. I want to encrypt the tokens in some form, but everything I try is failing to work.
I have tried encrypting web.config sections with aspnet_regiis but I continue to get various errors as though IIS cannot read the web.config file. The main error seems to be: "Configuration section encryption is not supported".
I have tried everything the internet and AI have suggested, and nothing seems to work. All I want is to encrypt these API tokens on the server yet allow the URL-Rewrite Module in IIS 10 to be able to access them.
I'm on the latest version of IIS/ARR Module/URL-Rewrite Module. The Static Site is standard html/js/css
I want to encrypt the tokens in some form, but everything I try is failing to work.
As far as I know, URL Rewrite reads the rules directly, including any values it requires (such as API tokens), and cannot decrypt encrypted content.
And since you are already using a reverse proxy, the API requests are forwarded to the backend service, which can securely save the API token and handle the communication with the API. So I am not sure why you would store the token in Web.Config and try to encrypt it.
On the other hand, if you need to encrypt the token, I think it should be considered from your backend code and configuration side, not IIS.