Asp.net ConnectionString in secure way

Question

I could not get a satisfactory answer to my question on the google, they are:

• How secure ConnectionString is over the HttpRequest?
• Is using Connection

Answer 1

To answer your questions in turn:

• How secure ConnectionString is over the HttpRequest?

You should never have to pass your connection string over HTTP; what usually happens is a user makes a request, your site processes the request including connecting to the database, and returns the result to the client. Connection String should not be sent over HTTP in this scenario.

• Is using ConnectionString in web.config file more secure than using in any specific aspx page?

Depends on what you do with the connection string - if you ever write it out to the client then it's never going to be secure! The connection string is usually placed into config for reusability purposes; embedding it on every page makes for a lot more maintainance and potential bugs.

• And how to secure ConnectionString for highly secure website?

You can encrypt the connection - so it is never stored as plain text, or use Windows Authentication so you never need a password. This is supported by ASP.Net as described here and here.