Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why some asp.net developers encrypt ConnectionStrings?


I seen some asp.net developers encrypt ConnectionStrings that was included in separate config file.
Why they did that ? I know that config files are unreadable from the client side/browser! Is it possible to access to this kind of files ?

like image 383
Dot Freelancer Avatar asked Mar 08 '12 13:03

Dot Freelancer


People also ask

Should you encrypt connection strings?

It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.

How can we secure the ConnectionString from being hacked?

The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.

Is it safe to store connection string in web config?

config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.


1 Answers

You can't rule out that the web box is compromised. Also, you don't want the web admins to know passwords to databases.

You need to remember that config files cannot be obtained by the browser just because .config extension is in the list of restrictions in IIS metadata. It may be possible to get them from the server in other way or some misconfiguration problem may allow them to be downloaded.

like image 198
Jakub Konecki Avatar answered Oct 21 '22 03:10

Jakub Konecki