How safe our secrets in .NET application?

Asked 8 hours ago Updated 4 hours ago 25 views

1 Answer

0

Secrets in a .NET application are only as safe as where and how you store them.
.NET itself provides good tools, but no secret is “100% safe” if an attacker gets server access.

Here’s the practical security picture.

1. appsettings.json is NOT secure

If you store this:

{
  "Jwt": {
    "Key": "super-secret-key"
  }
}

Anyone who can access:

  • your source code
  • deployment files
  • server filesystem
  • Docker image
  • backup archives

can read it.

Even if the repo is private, this is still risky.

2. Best options for storing secrets

Development → User Secrets

.NET Secret Manager stores secrets outside the project folder.

dotnet user-secrets init
dotnet user-secrets set "Jwt:Key" "super-secret"

Advantages:

  • Not committed to Git
  • Easy for local development
  • Safer than config files

But:

  • It is not encrypted for high-security use
  • It’s mainly for local dev convenience

Official docs:

ASP.NET Core Secret Manager

Production → Environment Variables

Example:

Jwt__Key=super-secret

This is much safer because:

  • Secrets stay outside source code
  • CI/CD systems inject them securely
  • Cloud platforms manage them separately

Enterprise-grade → Secret Vaults

Most secure option.

Examples:

These provide:

  • Encryption at rest
  • Access policies
  • Secret rotation
  • Audit logs
  • Temporary credentials

3. Important reality: secrets can still leak

Even with good storage:

If attacker gains server access

They can often:

  • Read environment variables
  • Dump process memory
  • Access vault tokens
  • Read decrypted secrets in runtime
  • Because your app itself must access the secret.

So security becomes:

  • Server security
  • IAM permissions
  • Network isolation
  • Least privilege
  • Monitoring

4. Common mistakes in .NET apps

Hardcoding secrets

string apiKey = "abc123";

Very dangerous.

Pushing secrets to GitHub

Even private repos can leak.

Logging secrets accidentally

Avoid:

_logger.LogInformation(jwtKey);

Sending secrets to frontend

Never expose:

  • DB passwords
  • private API keys
  • signing keys

Anything in:

  • JavaScript
  • Blazor WASM
  • mobile app binaries
  • can be extracted.

5. What is considered “reasonably secure”?

For most production .NET applications:

Storage Method Security Level
Hardcoded secrets Very bad
appsettings.json Bad
User Secrets OK for local dev
Environment variables Good
Secret vaults Best practice

6. Recommended modern setup

For a professional .NET app:

Local Development

dotnet user-secrets

CI/CD

  • GitHub Actions Secrets
  • Azure DevOps Secrets
  • GitLab CI variables

Production

Environment variables OR Key Vault

7. Extra protection ideas

Rotate secrets regularly

Change:

  • API keys
  • DB passwords
  • JWT signing keys

Use managed identity where possible

Instead of storing DB passwords:

  • Azure Managed Identity
  • IAM Roles
  • Workload Identity
  • This removes secrets entirely.

8. Quick answer

Are secrets in .NET secure?

  • .NET provides secure mechanisms
  • But secrets are never magically safe

Security depends mostly on:

  • storage method
  • server security
  • access control
  • deployment practices

For most apps today:

  • Environment variables + vaults = solid security
  • appsettings.json with secrets = unsafe practice
Ravi Vishwakarma
answered 8 hours ago Ravi Vishwakarma

Write Your Answer