If you're concerned about keeping critical information in your Web.config file, then you should encrypt it -- or at least the parts that you're concerned about.

Creating a Web configuration INI file Application-specific configuration information has historically been stored in INI files, which are plain-text files that contain key/value data within sections.

A major area where security is often lax is the web.config file. Usually stored in plain text, an intruder who gains access to this file can then easily access databases and other resources both ...

While the settings in the web.config file apply only to the application, the settings present in the machine.config file are applicable machine-wide.

You can add a web.config file to your folder which just contains the above, or you can use the <location> tag in your main web.config to achieve the same effect: <location path="Upload"> <system.web> ...

A well-intentioned system administrator could inadvertently get around application security measures and open the Web site to attack just by modifying the configuration file.

Virtually all Web-based applications require some debugging. Visual Studio 2005 will even automatically modify the Web.config file to allow debugging when you start to debug your application.