The web.config
file is a better place, benefits being:
- configuration information is in a configuration file that YOU can easily configure;
*.config
files are treated by ASP.NET as specially protected files, they will never be served;- you can post your code on Git sites without the actual config file and be confident not to open any security leaks.
By keeping configuration information hard coded you renounce to those benefits and make your life harder on the security side.