ASP.NET Core apps use appsettings.json to store configuration like connection strings, API keys, and secrets. If unprotected, these can expose sensitive data.
Why Security Matters
- 
Connection strings often include DB usernames & passwords. 
- 
API keys/secrets can unlock external services. 
- 
Misconfigurations may leak data in logs or errors. 
- 
Compromised values can lead to data theft, privilege escalation, or abuse. 
Default Configuration Sources
- 
appsettings.json
- 
appsettings.{Environment}.json
- 
Environment variables 
- 
User Secrets (development) 
- 
Key vaults/Secrets managers (production) 
Security Options
- 
User Secrets (Dev Only) - 
Stored locally, not in source control. 
- 
dotnet user-secrets set "ConnectionStrings:DefaultConnection" "..."
 
- 
- 
Environment Variables - 
Safer than JSON files, follows 12-factor app principles. 
- 
Example (PowerShell): 
 
- 
- 
Cloud Secret Managers (Production) - 
Azure Key Vault 
- 
AWS Secrets Manager 
 
- 
Best Practice:
Use User Secrets for local dev, Environment Variables for staging, and a Cloud Secret Manager for production.
Cheers
Samitha
