Every application has some configuration holding sensitive information, such as database connection strings, the secret keys of some third providers, and other sensitive information usually stored in the configuration files or the database. It is always a better option to secure all sensitive information to protect these resources from intruders. Web applications are usually hosted on servers, and this information can be read by just navigating to the server's path and accessing files, even though servers always have protected access and only authorized users are eligible to access the data. However, keeping information in plain text is not a good practice.
In .NET Core, we can use the Secret Manager tool to protect the sensitive information of an application. The Secret Manager tool allows you to store information in a secrets.json file, which is not stored within the application folder itself. Instead, that file is saved at the following path for different platforms:
Windows: %APPDATA%microsoftUserSecrets{userSecretsId}secrets.json
Linux: ~/.microsoft/usersecrets/{userSecretsId}/secrets.json
Mac: ~/.microsoft/usersecrets/{userSecretsId}/secrets.json
{userSecretId} is the unique ID (GUID) associated with your application. Since this is saved in the separate path, each developer has to define or create this file in their own directory under the UserSecrets directory. This restricts the developer from checking in the same file for the source control and keeps the information separate to each user. There are scenarios where a developer uses their own account credentials for database authentication and so this facilitates in keeping certain information isolated from other information.
From Visual Studio, we can simply add the secrets.json file by right-clicking on the project and selecting the Manage User Secrets option, which is shown as follows:
When you select Manage User Secrets, Visual Studio creates a secrets.json file and opens it in Visual Studio to add configuration settings in JSON format. If you open the project file, you see the entry of the UserSecretsId stored in your project file:
So, if you accidently close the secrets.json file, you can open it from the path where UserSecretsId is the subfolder inside the user secrets path, which is shown in the preceding screenshot.
Here is the sample content of the secrets.json file that contains the logging information, remote services URL, and the connection string:
{
"Logging": {
"IncludeScopes": false,
"Debug": {
"LogLevel": {
"Default": "Warning"
}
},
"Console": {
"LogLevel": {
"Default": "Warning"
}
}
},
"EmailServiceURL": "http://localhost:6670/api/values",
"UserServiceURL": "http://localhost:6546/api/user",
"ConnectionString": "Server=OVAISPCsqlexpress;Database=FraymsVendorDB;
User Id=sa;Password=P@ssw0rd;"
}
To access this in the ASP.NET Core application, we can add the following namespace in our Startup class:
using Microsoft.Extensions.Configuration;
Then, inject the IConfiguration object and assign it to the Configuration property:
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
Finally, we can access the variables using the Configuration object as follows:
var UserServicesURL = Configuration["UserServiceURL"]
services.AddEntityFrameworkSqlServer()
.AddDbContext<VendorDBContext>(options =>
{
options.UseSqlServer(Configuration["ConnectionString"],
sqlServerOptionsAction: sqlOptions =>
{
sqlOptions.MigrationsAssembly(typeof(Startup)
.GetTypeInfo().Assembly.GetName().Name);
sqlOptions.EnableRetryOnFailure(maxRetryCount: 10,
maxRetryDelay: TimeSpan.FromSeconds(30), errorNumbersToAdd: null);
});
}, ServiceLifetime.Scoped
);
}