How to manage User Secrets in ASP.NET Core Web API
Why should we hide the user secrets
When developing an ASP .NET Core application, the user secrets feature is essential for safeguarding sensitive information such as database credentials and API keys.
Unlike storing these secrets directly in configuration files like appSettings.json, we should keep them at a safe place.
This prevents unintentional exposure of sensitive details when pushing code to version control, ensuring a safer development environment.
Benefits of securing the secrets
Keeping data secure gives us following benefits:
- Enhanced Security
- Version Control Safety
- Development Flexibility
Multiple options to secure appsetting information We have multiple ways to keep data secure :
- Azure Key Vault
- WS Secrets Manager
- Using .NET user secrets manager
Securing data via user secrets file
We can secure our data in just three simple steps.
STEP 1 - Create File Right click on your project in visual studio and you would see an option of ‘Manage User Secrets’, click on it.
It will automatically install following nuget package
Microsoft.Extensions.Configuration.UserSecrets
STEP 2 - Add Secrets It will open up an empty file, you have to move your information here that you wanna hide.
{
"ConnectionStrings": {
"DefaultConnection": "Some-Connection-String"
},
"SymmetricEncryptionKeys": {
"PublicKey": "Some-Public-Key"
}
}
Now you would be able to see a secret id in csproject file like this and your secret file resides at different place, not in the code.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<UserSecretsId>2d379d35-0351-4812-a3c3-8a3e959e5f5c</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Macross.Json.Extensions" Version="3.0.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="6.0.1" />
<PackageReference Include="Refit" Version="7.0.0" />
<PackageReference Include="Refit.HttpClientFactory" Version="7.0.0" />
<PackageReference Include="System.Text.Json" Version="7.0.3" />
<PackageReference Include="Ulid" Version="1.3.3" />
</ItemGroup>
</Project>
This Id is used to retrieve the information, nothing else goes with code.
If same information was found in app settings and user secrets then user secrets would be read.
STEP 3 - Start using information with Options Pattern/IConfiguration Start reading the data from user-secrets in the same way as we do for appsetting either Options pattern or IConfiguration.
This is best way to secure your secrets in local development environment instead of going for cloud options.
Whenever you're ready, there are 3 ways I can help you:
- Subscribe to my youtube channel : For in-depth tutorials, coding tips, and industry insights.
- Promote yourself to 9,000+ subscribers : By sponsoring this newsletter
- Patreon community : Get access to all of my blogs and articles at one place