Yes, it is safe. Thay cannot be directly requested from the web.
Any *.mdf files placed in the App_Data directory are covered by:
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="true" />
That's included in your base web.config
in the CONFIG subdirectory of the .Net Framework 2.0.
See the web.config.comments file in that directory
for a complete list of protected files.
Juan T. Llibre, ASP.NET MVP
ASP.NET FAQ :
http://asp.net.do/faq/
ASPNETFAQ.COM :
http://www.aspnetfaq.com/
Foros de ASP.NET en Español :
http://asp.net.do/foros/
======================================