One of the most common questions about the web.config file is... Is it secure?

Well it's as secure as you make it. Anyone with access to the file system, probably has access to the web.config file. So here's a little obfuscation trick. Move some of your sensitive data out of the web.config, or pull it form different parts of the web.config with string.format().

Consider the following web.config entry.

<add key="DBConnection" value="Data Source={0};User Id={1}; Password={2};Initial Catalog={3};"/>

So this is a SUPER generic connection string, and now in my application on start I can pull data from another, more secure area, like the DPAPI.

string server = "localhost";
string user = "user";
string password = "password";
string catalog = "catalog";
string ConfigDBString = Appsettings DBConnection

string connection = string.format(ConfigDBString, server, user, password, catalog);

Then you have your connection string. Obviously these values are not hard coded as in the example above, but I'm sure you get the point.

UPDATED: August 1, 2004
After reading this, my buddy DonXML sent me a note about his Object Oriented approch to this topic. Here are his comments...

I saw your post on the connection string stuff in the web.config file, and was wondering if you saw my Encrypted Connection String code example at GotDotNet.  You could either use it instead of your example, or, just use the base ConnectionString class as a simple and easy way to parse your connection string into it’s components (in an OO style).  I also have a SqlServerConnectionString class and an OracleConnectionString Class that inherit from the base class, with all the rules from the respective documentation implemented (so you can’t build a connection string that will not work).

Very helpful indeed, thanks Don.