How to manage User Secrets in ASP.NET Core Web API

Why should we hide the user secrets

When developing an ASP .NET Core application, the user secrets feature is essential for safeguarding sensitive information such as database credentials and API keys.

Unlike storing these secrets directly in configuration files like appSettings.json, we should keep them at a safe place.

This prevents unintentional exposure of sensitive details when pushing code to version control, ensuring a safer development environment.

Benefits of securing the secrets

Keeping data secure gives us following benefits:

• Enhanced Security
• Version Control Safety
• Development Flexibility

Multiple options to secure appsetting information We have multiple ways to keep data secure :

• Azure Key Vault
• WS Secrets Manager
• Using .NET user secrets manager

Securing data via user secrets file

We can secure our data in just three simple steps.

STEP 1 - Create File Right click on your project in visual studio and you would see an option of ‘Manage User Secrets’, click on it.

It will automatically install following nuget package

Microsoft.Extensions.Configuration.UserSecrets

STEP 2 - Add Secrets It will open up an empty file, you have to move your information here that you wanna hide. Now you would be able to see a secret id in csproject file like this and your secret file resides at different place, not in the code.

This Id is used to retrieve the information, nothing else goes with code.

If same information was found in app settings and user secrets then user secrets would be read.

STEP 3 - Start using information with Options Pattern/IConfiguration Start reading the data from user-secrets in the same way as we do for appsetting either Options pattern or IConfiguration.

This is best way to secure your secrets in local development environment instead of going for cloud options.