I could not get a satisfactory answer to my question on the google, they are:
I'm just curious to know about this.
You can encrypt the conenction string inside the webconfig, here is an article from Microsoft about this topic : http://msdn.microsoft.com/en-us/library/dx0f3cf2(v=vs.80).aspx
If you sending the connectionstring over a channel its not more secure than the channel. For example sending the connectionstring over HTTP and it will be just plain text, HTTPS and it will be encrypted, over FTP just plan text, and so on...
If you have a webapplication in a shared hosted environment you should be worried about that the provider maybe get hacked.
So just keep the connection string inside the web.config and encrypt it and don't send it around on internet ;-)
The connection strings are safe in the web.config. They are very secure unless you print them out on the web requests.
Nice project on CodePlex Encrypt/Decrypt Connection string
There are quite a few methods to secure your connectionstring like
Its best to save connectionstring in webconfig to be used as a single point of use for whole application.
How secure ConnectionString is over the HttpRequest?
It is a string. It is only as secure as the connection is, so, normally not at all. This is assuming you are sending the connection string details over a HttpRequest. If this is not the case and your connection string is used in the web.config, it is as safe as the file itself and IIS are.
Is using ConnectionString in web.config file more secure than using in any specific aspx page?
No.
And how to secure ConnectionString for highly secure website?
Normally, one uses integrated security (windows authentication) to avoid hard coding of a username and password. Additionally, you can encrypt the configuration section, as described here (RSA) and here (DPAPI).
How secure ConnectionString is over the HttpRequest?
Do you send the connection string over http request ? Really ? what scenario it is ? Ususally only requests for a webpage travels thru http request and the response as well. Connectionstring is something your code internally use to access data and it stays in your server.
Is using ConnectionString in web.config file more secure than using in any specific aspx page?
Think about maintainability. If you put your connection string in a class, you have to rebuild your app when you have to change your connection string . If some body has access to your folder where you have your files, they can use a disassembler to see what is in your dlls.
And how to secure ConnectionString for highly secure website?
You can encrypt connection string in web.config. check this link http://www.codeproject.com/Tips/304638/Encrypt-or-Decrypt-Connection-Strings-in-web-confi
To answer your questions in turn:
How secure ConnectionString is over the HttpRequest?You should never have to pass your connection string over HTTP; what usually happens is a user makes a request, your site processes the request including connecting to the database, and returns the result to the client. Connection String should not be sent over HTTP in this scenario.
Is using ConnectionString in web.config file more secure than using in any specific aspx page?Depends on what you do with the connection string - if you ever write it out to the client then it's never going to be secure! The connection string is usually placed into config for reusability purposes; embedding it on every page makes for a lot more maintainance and potential bugs.
And how to secure ConnectionString for highly secure website?You can encrypt the connection - so it is never stored as plain text, or use Windows Authentication so you never need a password. This is supported by ASP.Net as described here and here.
web.configis safe, IIS will not serve this file to the client.