3

Is storing connection strings in web.config the most secure solution? Is there a way to store them on the server to which they are deployed to, instead (as a system DSN, for example, though I believe those are cumbersome)?.

I'm moving my work codebase to BitBucket, and for some reason am extremely uncomfortable with the idea of having a web.config that contains a database username/password on a machine that I don't have draconian control over. I may just be acting irrationally; never hosted any code externally.

Improve this question
1
  • Have you considered integrated security? Then your connection string don't have to contain such sensitive information. Commented Oct 6, 2011 at 6:50

3 Answers 3

Reset to default
5

You can encrypt sections of your web.config. You could do that for the ConnectionStrings Section. MSDN link available here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

If you are concerned about the security of your connection strings you have the possibility to encrypt them.

Improve this answer

Comments

1

Personally I think this case is overblown. ASP.Net by default will never serve your web.config file no matter how hard a determined hacker tries to get it.

Improve this answer

2 Comments

The question is: when a hacker gets access to the computer through some other hole, what will he or she find? A username and password in the clear? Great, now they have easy access to all your data too.
Regardless, it never hurts to have defense-in-depth mechanisms.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.