Microsoft has by default the connection string / (also encrypted if you want ) in the web.config.
I came across settings.txt in app_data during upgrade. I would recommend/ suggest to follow Microsoft path. If you use Windows identity, your database cannot be accessed, if no SQL connections allowed. However, if you have sql connections allowed and app_data\settings.txt would be readable that would have dramatic effect(s).
If I would be working at Microsoft, I would hardcode that web.config or .config would never be able to leave the web server. For text files I would not do that.
Sure, you are right for app_data..app_code etc. Shouldn't be served. However, that file is in the middle of other files, and has been added by Microsoft recently. In the past it has always been web.config similar to htaccess file on Apache. If somebody does not know that this app_data is a special directory and might install apache or other software (other than MS IIS) wrong. See link below how it is explained in the past:
Microsoft is also triggering PHP/ JAVA community to take benefit of hosting with Microsoft IIS. If somebody just reads the wrong post..or believes it works similar...most likely that person will also give acces to web.config...so maybe we cannot avoid that....I guess you are right.
Further to above, I have two question regarding the connection string:
1. Is there any way to encrypt it and still have the application run without any further modifications? Unfortunately this is required by a lot of security consultants
2. Is there any way to create Release/Debug versions?
I'd also like to know the best way to do this - I want to use the standard web.config 'release' and 'dev' for my deployment to use different database connection strings.
hoping to get some help here, we need the connection string in the web.config to support deployment to different environments (the 'normal .net way').
How do we tell nopcommerce to look in the web.config vs. a 'settings.txt' file ?
It seems unnecessary to re-invent the wheel and complicate the matter to put connection string in Settings.txt, an awkward design for an otherwise well-designed app.
I personally don't see any issue with having the connection string within App_Data
It shouldn't be a heavy lift to encrypt the connection string using a machine key or something similar.
An .NET specific deployment platform such as Octopus Deploy can handle transforms of all types with very little difficulty. Its lowest usage tier is free and should easily meet your needs.
For deployments to different environments, once Settings.txt is setup, there should be little to no reason to update that file going forward.