You should move the security-sensitive details into web.config
, because configuration files support encryption. Source code, on the other hand, is not encrypted. Although it could be obfuscated, obfuscators would not change the content of string literals.
Fortunately, encrypting parts of web.config
is a standard feature. ASP.NET IIS Registration Tool is the tool that you can use to do the encryption. Here is a link to a post describing the process. Here is a link to another very useful article from Microsoft on the same topic: Creating and Exporting an RSA Key Container.