All geek questions in one place

Asp.net ConnectionString in a secure way

I could not get a satisfactory answer to my question on Google, this:

  • How secure is ConnectionString over HttpRequest?
  • Is using ConnectionString in web.config safer than using on any particular aspx page?
  • And how to protect ConnectionString for a reliable website?

I'm just curious about this.

+1
source share
7 answers

You can encrypt the conenction string inside webconfig, here is a Microsoft article on this subject: http://msdn.microsoft.com/en-us/library/dx0f3cf2(v=vs.80).aspx

If you send a connection string over a channel, it is no more secure than a channel. For example, sending a connection string via HTTP, and it will be just text, HTTPS, and it will be encrypted, via FTP just schedule the text and so on ...

If you have a web application in a shared hosted environment, you should be concerned that the provider might be hacked.

So just keep the connection string inside web.config and encrypt it and do not send it on the Internet; -)

+8
source

Connection strings are safe in the web.config file. They are very reliable if you do not print them in web requests.

+4
source

Good CodePlex project Encrypt / decrypt connection string

+3
source

There are many ways to protect your connection string, for example

  • Encrypt the connection string and save it in webconfig
  • Encrypt the connection string and save it in the Windows registry.

It is best to save the connection string in webconfig for use as the only point of use for the entire application.

+2
source

How secure is ConnectionString over HttpRequest?

This is a string. It is as secure as the connection, so itโ€™s usually not at all. It is assumed that you send connection string data through HttpRequest . If this is not the case, and your connection string is used in web.config , it is as safe as the file itself and IIS.

Is using ConnectionString in web.config safer than using on any particular aspx page?

Not.

And how to protect ConnectionString for a reliable website?

Typically, integrated protection (Windows authentication) is used to prevent hard coding of the username and password. In addition, you can encrypt the configuration section as described here (RSA) and here (DPAPI).

+2
source

How secure is ConnectionString over HttpRequest?

Are you sending a connection string through an http request? Indeed? what is the scenario? It is only reasonable that web page requests are moved through an HTTP request and response. Connectionstring is what your code internally uses to access data, and it stays on your server.

Is using ConnectionString in web.config safer than using on any particular aspx page?

Think about maintainability. If you put your connection string in a class, you need to rebuild your application when you need to change the connection string. If any authority has access to your folder where you have your files, they can use a disassembler to find out what is in your DLL.

And how to protect ConnectionString for a reliable website?

You can encrypt the connection string in web.config. check this link http://www.codeproject.com/Tips/304638/Encrypt-or-Decrypt-Connection-Strings-in-web-confi

0
source

To answer your questions one at a time:

  • How secure ConnectionString is over the HttpRequest?

You will never have to pass the connection string through HTTP; it usually happens that the user makes a request, your site processes the request, including connecting to the database, and returns the result to the client. The connection string should not be transmitted over HTTP in this scenario.

  • Is using ConnectionString in web.config file more secure than using in any specific aspx page?

Depends on what you do with the connection string - if you ever write it to the client, then it will never be safe! The connection string is usually placed in the configuration for reuse purposes; embedding it on every page greatly facilitates maintenance and potential errors.

  • And how to secure ConnectionString for highly secure website?

You can encrypt the connection - therefore it is never stored as plain text or does not use Windows authentication, so you do not need a password. This is supported by ASP.Net, as described here and here ,

0
source

Source: https://habr.com/ru/post/915838/

More articles:


All Articles