adsense

Sunday, October 5, 2025

Securing Connection Strings & AppSettings in ASP.NET Core

 ASP.NET Core apps use appsettings.json to store configuration like connection strings, API keys, and secrets. If unprotected, these can expose sensitive data.

Why Security Matters

  • Connection strings often include DB usernames & passwords.

  • API keys/secrets can unlock external services.

  • Misconfigurations may leak data in logs or errors.

  • Compromised values can lead to data theft, privilege escalation, or abuse.

Default Configuration Sources

  • appsettings.json

  • appsettings.{Environment}.json

  • Environment variables

  • User Secrets (development)

  • Key vaults/Secrets managers (production)

Security Options

  1. User Secrets (Dev Only)

    • Stored locally, not in source control.

    • dotnet user-secrets set "ConnectionStrings:DefaultConnection" "..."

  2. Environment Variables

    • Safer than JSON files, follows 12-factor app principles.

    • Example (PowerShell):

      $env:ConnectionStrings__DefaultConnection="..."
  3. Cloud Secret Managers (Production)

    • Azure Key Vault

      builder.Configuration.AddAzureKeyVault( new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"), new DefaultAzureCredential());
    • AWS Secrets Manager

      var secret = await secretsManager.GetSecretValueAsync( new GetSecretValueRequest { SecretId = "MyApp-DbConnection" });


Best Practice: 

Use User Secrets for local dev, Environment Variables for staging, and a Cloud Secret Manager for production.


Cheers

Samitha

No comments:

Post a Comment