I am reading books and tutorials on writing provider hosted Apps.
In all places I can see that people are making the following entry in the web.config file
<add key='ClientSigningCertificatePath" value="c:\foo\foo.pfx" />
<add key='ClientSigningCertificatePassword" value="password" />
I am a little surprised that people are carelessly leaving this certificate on C drive without even knowing that if someone gets this certificate he/she can spoof any user to SharePoint because SharePoint will blindly believe the Access Token which is created by signing via this certificate.
I can change this to store the certificate in a database maybe? so that Its stored encrypted and protected?
val it: unit=()