Reputation: 9645
Is the web.config more secure than the database?
I'm building a small MVC app and I have a question in my head that sounds like a total noob question, but I have to ask it anyway
I have to store the users mailserver username and password, and I'm debating whether I should create a settings table in my database or put the info in the web.config.
Is one more secure than the other? If so, which one?
I know I can encrypt the web.config, but I also know modifying it from the app causes an app restart, so allowing the user to configure their own settings could be problematic if I want to write to the config.
Upvotes: 1
Views: 112
Answers (1)
Reputation: 1323
If an attacker can access your web.config file, he is most likely able to access the database as well. Storing credentials in plaintext, regardless of location, is problematic.
Upvotes: 1
Related Questions
- web.config with db connection string for asp.net mvc site. DB and site on same server. Need security?
- Is it safe to hardcode a password in web.config?
- What is the potential security risk of including the db password in the web.config
- Is there a need to secure connection string in web.config?
- Is web.config protected by IIS?
- When should I store config data in the database and not my web.config?
- web.Config vs Database Settings table
- Is web.config more secure than a class?
- Editing a web.config file through web application will cause any security problem?
- Is encrypting web.config pointless?