Sitecore recommends moving the data folder outside of the webroot because of security issues. This is normally a good idea, as the datafolder contains information, which shouldn’t be accessible for end users. However you might as well use .NET’s security applied to the App_data folder.
I have seen quite a few Sitecore installations, where the data folder has been moved outside the webroot. This is recommended practice from Sitecore, but when you move the datafolder outside of the webroot, you need to enter an absolute path in the web.config. This can be quite annoying, as the absolute path might vary from environment to environment. For instance you might have to change the setting every time you deploy to your test and production environment or even worse it might vary from developer machine to developer machine.
Another solution is to use the App_data folder. The App_data folder was introduced by Microsoft to hold filebased databases and similar data files in a secure way. Files placed in this folder cannot be requested by end users directly, so you will not have any issues with that. Files will not be served because of a special httpHandler that denies the request. Microsoft writes:
“Storing an XML data file in the Web application directory is a potential security threat. By default, IIS will serve XML data files to the Web. To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory. Files stored in the App_Data directory will not be served to the Web.”
Which can be found here.
To use the App_data folder just create a folder called “App_Data” in your webroot and move the contents of the normal Sitecore data folder to the new folder. Now all you need to do, is to change the dataFolder location in the web.config, which can be done here:
<sc.variable name="dataFolder" value="/App_Data" />
So consider using the App_Data folder if you don’t want to enter an absolute path in your web.config.