IIS/ASP.NET will not serve direct requests to Web.config, which protects possibly sensitive information (e.g. connection strings, email addresses) from the public...at least in theory.
You can further protect web.config information via encryption. Out of the box, the aspnet_regiis.exe utility will encrypt web.config according to your preferences.
Here is a sample <appsettings> section:
http://localhost/myApp, we could run the following command to encrypt:
- aspnet_regiis -pe "appSettings" -app "/myApp"
Implementing Code to Retrieve Configuration Settings
What's great is that the code that accesses the configuration settings need not change, e.g.:
- string strGUID = ConfigurationSettings.AppSettings["ROOTGUID"];
...would work before and after encryption.
To decrypt the configuration settings, just substitute a "-pd" switch for "-pe":
- aspnet_regiis -pd "appSettings" -app "/myApp"
...Finally, I came across a good article about handling this encryption/decryption programmatically (e.g. via an ASP.NET page or a Console App). Here's the 4gfr link.