Securing Connection Strings & AppSettings in ASP.NET Core

 ASP.NET Core apps use appsettings.json to store configuration like connection strings, API keys, and secrets. If unprotected, these can expose sensitive data.

Why Security Matters

• Connection strings often include DB usernames & passwords.

• API keys/secrets can unlock external services.

• Misconfigurations may leak data in logs or errors.

• Compromised values can lead to data theft, privilege escalation, or abuse.

Default Configuration Sources

• appsettings.json

• appsettings.{Environment}.json

• Environment variables

• User Secrets (development)

• Key vaults/Secrets managers (production)

Security Options

1. User Secrets (Dev Only)

   • Stored locally, not in source control.

   • dotnet user-secrets set "ConnectionStrings:DefaultConnection" "..."

2. Environment Variables

   • Safer than JSON files, follows 12-factor app principles.

   • Example (PowerShell):

     $env:ConnectionStrings__DefaultConnection="..."
     

3. Cloud Secret Managers (Production)

   • Azure Key Vault

     builder.Configuration.AddAzureKeyVault(
         new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
         new DefaultAzureCredential());
     

   • AWS Secrets Manager

     var secret = await secretsManager.GetSecretValueAsync(
         new GetSecretValueRequest { SecretId = "MyApp-DbConnection" });
     

Best Practice: 

Use User Secrets for local dev, Environment Variables for staging, and a Cloud Secret Manager for production.

Cheers

Samitha