| Muhammad Waseem

About Newsletter
Books
30 .NET Tips
Sponsorship
How to manage User Secrets in ASP.NET Core Web API
Oct 28, 2023
2 min read

How to manage User Secrets in ASP.NET Core Web API

Sponsor this Newsletter

Why should we hide the user secrets

When developing an ASP .NET Core application, the user secrets feature is essential for safeguarding sensitive information such as database credentials and API keys.

Unlike storing these secrets directly in configuration files like appSettings.json, we should keep them at a safe place.

This prevents unintentional exposure of sensitive details when pushing code to version control, ensuring a safer development environment.

Benefits of securing the secrets

Keeping data secure gives us following benefits:

  • Enhanced Security
  • Version Control Safety
  • Development Flexibility

Multiple options to secure appsetting information We have multiple ways to keep data secure :

  • Azure Key Vault
  • WS Secrets Manager
  • Using .NET user secrets manager

Securing data via user secrets file

We can secure our data in just three simple steps.

STEP 1 - Create File Right click on your project in visual studio and you would see an option of ‘Manage User Secrets’, click on it.

It will automatically install following nuget package

Microsoft.Extensions.Configuration.UserSecrets

STEP 2 - Add Secrets It will open up an empty file, you have to move your information here that you wanna hide.

{
  "ConnectionStrings": {
    "DefaultConnection": "Some-Connection-String"
  },
  "SymmetricEncryptionKeys": {
    "PublicKey": "Some-Public-Key"
  }
}

Now you would be able to see a secret id in csproject file like this and your secret file resides at different place, not in the code.

 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <UserSecretsId>2d379d35-0351-4812-a3c3-8a3e959e5f5c</UserSecretsId>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Macross.Json.Extensions" Version="3.0.0" />
    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="6.0.1" />
    <PackageReference Include="Refit" Version="7.0.0" />
    <PackageReference Include="Refit.HttpClientFactory" Version="7.0.0" />
    <PackageReference Include="System.Text.Json" Version="7.0.3" />
    <PackageReference Include="Ulid" Version="1.3.3" />
  </ItemGroup>
</Project>

This Id is used to retrieve the information, nothing else goes with code.

If same information was found in app settings and user secrets then user secrets would be read.

STEP 3 - Start using information with Options Pattern/IConfiguration Start reading the data from user-secrets in the same way as we do for appsetting either Options pattern or IConfiguration.

This is best way to secure your secrets in local development environment instead of going for cloud options.

This article was originally published at https://mwaseemzakir.substack.com/ on Oct 28, 2023 .

Whenever you're ready, there are 3 ways I can help you:

  1. Subscribe to my youtube channel : For in-depth tutorials, coding tips, and industry insights.
  2. Promote yourself to 9,000+ subscribers : By sponsoring this newsletter
  3. Patreon community : Get access to all of my blogs and articles at one place
Previous Next

Subscribe to Newsletter

Join 9,000 Software Engineers

Buy Me a Coffee

Enjoy my articles? Support me by buying a coffee!

Buy Me a Coffee

Muhammad Waseem

Resources
  • Books
  • Courses
Newsletter
  • Articles
  • Sponsorship
Books
  • 30 .NET Tips
  • 100 .NET Tips (Soon)
Author
  • About Us
  • Contact Us
Policy
  • Privacy Policy
  • Terms and Conditions
Interview
  • C# & .NET
  • Web API

Join my .NET newsletter and stay updated!

© 2025 Muhammad Waseem. All rights reserved.