一般来说，web.config 是一个安全文件，IIS 不提供它，因此它不会暴露给向 Web 服务器发出请求的用户.Web 服务器仅提供特定类型的文件，而 web.config 肯定不是其中之一.

Generally, web.config is a secure file and IIS does not serve it, therefore it will not be exposed to users who are making requests to web server. Web server only serves specific type of files and web.config is surely not one of 'em.

您经常将包含密码的数据库连接字符串保存在其中.现在想象一个 web.config 不安全的场景.您对您的应用程序造成了重大安全威胁.

Quite often you save your database connection string in it which includes password. Now imagine an scenario where web.config was not secure. You have created a major security threat to your application.

所以，特别是只要你的项目不是太大，就不用担心.

Therefore, specially as long as your project is not too big, you should not be worrying about it.

然而，您可能有更好的方法，但创建一个名为Resources"的项目并将所有关键信息(如设置、常量、枚举等)保存在其中.这将是一种巧妙而有组织的方法.

Yet, you may have a better approach but creating a project called "Resources" and save all the critical information such as settings, consts, enums and etc in there. That would be a slick and organized approach.

如果您通过网络传递用户名/密码(例如在安全 API 调用的情况下)，您可能需要使用 https 来确保传输的信息是加密的，但与此无关web.config 文件的安全性.

If you are passing the username/password over the wire though (for example in case of a secured API call), you may want to use https to make sure that information that are travelling are encrypted but that has nothing to do with the security of web.config file.