Thoughts and best practices on web.config security (encryption issues with Umbraco?)
Hi,
I am looking to ensure that the web.config file's sensitive db information is protected, over and above IIS's restriction to web.config...I guess I am paranoid that a coding error exists, which grants download access to the web.config file.
What are suggestions / best practices regarding fully securing the web.config file so no access is gained by the public / hackers? I was thinking of encryption, but not sure if that will create issues in umbraco.
Thoughts and best practices on web.config security (encryption issues with Umbraco?)
Hi,
I am looking to ensure that the web.config file's sensitive db information is protected, over and above IIS's restriction to web.config...I guess I am paranoid that a coding error exists, which grants download access to the web.config file.
What are suggestions / best practices regarding fully securing the web.config file so no access is gained by the public / hackers? I was thinking of encryption, but not sure if that will create issues in umbraco.
Thanks :)
You can encrypt a web.config file using the official procedure here:
https://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
As far as I understand the encryption is transparent to the application.
But bear in mind if someone can read your
web.configfile then your server is already compromised.Fair enough, and thanks. Are you aware of any testing tools that analyze server security?
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.
Continue discussion