Specifiying network credentials in ASPX.CS page or Web.Config

Question

This is a random thought I just had while playing around with a simple send email feature on my ASP.net website:

MailMessage mailMessage = new MailMessage();
mailMessage.To.Add("test@gmail.co.uk");
mailMessage.From = new MailAddress("test2@gmail.com");
System.Net.NetworkCredential basicauthenticationinfo = new    
System.Net.NetworkCredential("username", "pass123");

The above is the extract of my code that got me thinking. After deploying the site, 'View Source' allowed me to view the HTML of my site, but I couldn't find any way to see the C# coding there in the ASPX.CS file behind it. I tried using FireBug too, and no luck. So is it safe to say that anyone viewing my website won't have any way to see the above information?

I have seen other examples of the above code where people usually specify the NetworkCredentials in the Web.Config file. Does this have the benefit of being any safer?

Is the main idea to try and make use of the Webconfig as much as possible in this scenario for the sake of security, or is this only for the sake of keeping the code 'tidier'?

Answer 1

The web.config file is a better place, benefits being:

• configuration information is in a configuration file that YOU can easily configure;
• *.config files are treated by ASP.NET as specially protected files, they will never be served;
• you can post your code on Git sites without the actual config file and be confident not to open any security leaks.

By keeping configuration information hard coded you renounce to those benefits and make your life harder on the security side.