2

I have encrypted the "web.config" file of my MVC3 web application with aspnet_regiis.exe. BUT if someone has physical access to the "web.config", he probably has access to cshtml files too. So he can inject, for example a code like this:

<label>@ConfigurationManager.AppSettings["dbconnection"].ToString()</label>

and thus compromising security in my application. Are there any suggestions how can I solve this problem ?

Improve this question

1 Answer 1

Reset to default
3

If someone had physical access to the web.config then they would have access to the server, which means they would have access to the whole application and IIS etc. They then could delete the whole app if they wanted.

I would be looking to secure access to the server and not access to the application if this is your concern?

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Agreed, if someone has access to the files you've already been compromised!
What about if my application is hosted on shared hosting server and someone has gained access to my files through compromising other application on this server ?
That is a risk you take when you use shared hosting. Dedicated Server or a cloud VM is the way forward.
@user1268545 Could you pre-compile your Razor views? blog.davidebbo.com/2011/06/precompile-your-mvc-views-using.html The question is whether this will guard against new views being created, or existing views being replaced with uncompiled versions.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.