问题
Is it safe to write connection string in web.config in an ASP.net application. The application will be using 2 databases and I think the connection string can be retrieved easily. Can anyone please suggest a secure place(web.config or other file) for writting the connection string except encrypting it.
回答1:
Web.config is the right place for this. You can encrypt the connection string if that's a concern for you. Encrypting the connection string in Web.config it's already supported in ASP.NET and it seems that you already know that...
Link for reference.
回答2:
If your worry is the outside "hackers" stealing your web.config file, then it doesn't make a difference where you store it, since if they have access to the web.config file, they probably have access to any other location where you may store the CS anyways.
If on the other hand you want to protect from an internal threat, then try saving it into a separate file (even a simple text file will do) and give that file special access permissions that only allow you and the application access and noone else. Also, you may be able to do the same thing with web.config itself.
来源:https://stackoverflow.com/questions/10900957/is-it-safe-to-write-connection-string-in-web-config