I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.
I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.
Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.
Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!
Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!
config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.
The <appSettings> element stores custom application configuration information, such as database connection strings, file paths, XML Web service URLs, or any other custom configuration information for an application.
EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.
Sample on codeproject:
Encryption of Connection Strings inside the Web.config in ASP.Net 2.0
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With