All geek questions in one place

Why do some asp.net developers encrypt ConnectionStrings?


I saw some asp.net developers encrypting ConnectionStrings, which was included in a separate configuration file.
Why would they do that? I know that configuration files are not readable from the client side / browser! Is it possible to access files of this type?

+6
source share
4 answers

You cannot rule out that a web block has been hacked. In addition, you do not want network administrators to know database passwords.

You need to remember that configuration files cannot be retrieved by the browser just because the .config extension is in the list of restrictions in IIS metadata. Perhaps they can be obtained from the server in another way or a problem with the wrong configuration may allow them to be downloaded.

+15
source

They can be accessed by service personnel, backup operators, or other users who have access to the disk without going through the website. This is one example.

+4
source

If you download the web.config file with custom errors set to "off", any errors generated by your web application will display your code. This may even include lines from your configuration files, and this may include “ConnectionStrings”, which makes them visible to the public.

+3
source

For each organization, the most important thing for them is their data.

  • This is done where several developers work on the same application.
  • Sometimes new developers are also credited to the team. Finding out every aspect of your database, system, login, machine name is never a good approach.
  • There is a possibility of information leakage during the production process, Q / A phase testing, etc.
  • This is very convenient when stealing code inside the organization, when your data is safe from external intrusion, since the connection strings were encrypted.
  • Can you bear the risk if someone has access to your database and resets the table / schema or deletes all of your tables? MSDN: How to Protect Connection Strings When Using a Data Source
+3
source

Source: https://habr.com/ru/post/910243/

More articles:


All Articles