locked
How to protect web.config file? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User546194788 posted

    After published apps, I found that web.config which stored connection string including SQL server password not compile.

    How to make web.config not text file but apps can still read it?

    Wednesday, October 31, 2018 2:42 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User2103319870 posted

    How to make web.config not text file but apps can still read it?

    You can take a look the option of Encrypting AppSettings and ConnectionString in webconfig file. 

    https://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

    Wednesday, October 31, 2018 3:05 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User61956409 posted

    Hi aspfun,

    After published apps, I found that web.config which stored connection string including SQL server password not compile.

    If you host your web application on IIS server, you need not worry browser clients access web.config file and get the SQL server password, because by default IIS help block several of the ASP.NET-related paths for us; Web.config, bin, App_Code, etc.

    Besides, if you want to prevent someone who could connect to your web server from getting plain-text password, as A2H mentioned, you can encrypt Connection Strings in Web.Config.

    With Regards,

    Fei Han

    Thursday, November 1, 2018 3:17 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1320437544 posted

    Encrypt the sensitive areas of the web.config as the two guys before me already said. That's the best you could do. The version of the framework which you are using has tools for doing it.

    Friday, November 16, 2018 6:11 AM