How to Protect Against Data Theft by Securing a Website's Config File and by Publishing a Project in Visual Studio.NET
Protecting Your Website Code
There are two simple ways this article will show how you can protect your logic and your code at the same time. There are more steps one can take, but I’m keeping two things in mind, protecting simple global settings and protecting code it self.
It is normal to see websites that do not take extra steps to protect their code and business information. Yes, I was one of them too until I forced myself to take extra steps, and what I found out is, it saves time not takes time. Meaning, if you have a poor structure of your website it will take you many, many hours to go back and modify the code to protect the data at later time. However, if you take the time from the beginning, you will have fewer problems later.
Please note, this article is based on Visual Studio.Net.
Protection Plan #1: Protect the Web.Config File
Many developers use web.config file to keep their global settings / variable so they can access them from any part of the website. For example, SQL connection string with username and passwords, webmaster’s email address, website name to use within the code or to display, SMTP information including SMTP server, and username / password.
These items are all important and storing in web.config might be one of the ways to access them globally from any part of the code, but its not the only option.
Consider this, if you have your SQL connection string with your username and password, and / or your SMTP server name with username and password stored in web.config file, anyone who has access to your folder at the hosting server also have access to this information. You may trust your hosting company, but in order to protect this information we need to store this into another place than web.config file.
The better option is to add a “Resource File” which studio.net will automatically place is under the folder “App_GlobalResources” in your project. Now you can store information within this resource file as you would have in web.config file. However, to protect this file, now you need to follow projection plan #2.
Projection Plan #2: Publishing a Complete ASP.NET Project
At this time I’m assuming you have moved your sensitive information to App_GlobalResource. This step talks about publishing your project rather than keeping all separate files.
By that I mean, converting your entire website into web executable rather than leaving all logic open for anyone to see.
By converting your project into “published” project, visual studio.net strip out all of the code from your asp.net classes and your pages, and convert them to .dll files. Which as we know are not human readable. See the screen shot below which shows which icon to click.
Once you start the publishing process, you will have to enter a new path for the published code, which you can FTP to your hosting company.
Once you follow plan #1 and plan #2 above, you will be sure to protect your sensitive information such as SQL database connections strings and username / password. Also you will be able to project your business logic from anyone who has access to your hosting folder.
You might think you trust your hosting person or company, but in reality you are giving them the information which can bring your website down.
It’s better to be safe than sorry.
