{"id":1565,"date":"2025-12-08T10:04:20","date_gmt":"2025-12-08T10:04:20","guid":{"rendered":"https:\/\/oussamasaidi.com\/?p=1565"},"modified":"2025-12-20T11:14:43","modified_gmt":"2025-12-20T11:14:43","slug":"securing-sensitive-information-in-net-core","status":"publish","type":"post","link":"https:\/\/oussamasaidi.com\/en\/securing-sensitive-information-in-net-core\/","title":{"rendered":"Securing Sensitive Information in .NET Core: A Complete Guide for Developers"},"content":{"rendered":"<p>Protecting user data is one of the most critical responsibilities of any software developer. In today\u2019s connected world, even a small leakage of sensitive information \u2014 API keys, passwords, or tokens \u2014 can have devastating consequences. Fortunately, .NET Core (or .NET 9 and later) offers several mechanisms to help you handle secrets securely and build resilient applications.<\/p>\n\n\n\n<p>In this article, we\u2019ll explore practical methods to secure sensitive information in <a href=\"https:\/\/oussamasaidi.com\/en\/solid-principles-in-c-explained-definitions-examples-best-practices\/\" target=\"_blank\" rel=\"noopener\" title=\"SOLID Principles in C# Explained: Definitions, Examples &amp; Best Practices\">.NET Core applications.<\/a> You\u2019ll learn where and how to store secrets, configure your environment safely, use built-in tools like&nbsp;<strong>Azure Key Vault<\/strong>, and adopt best security practices. Let\u2019s dive in!<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Full simple source code is on <a href=\"https:\/\/github.com\/oussama-saidi\/os-tuto-securing-sensitive-information-net-core\" target=\"_blank\" rel=\"noopener\" title=\"\">Github<\/a> <\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"understanding-sensitive-information-in-net-core\">Understanding Sensitive Information in .NET Core<\/h2>\n\n\n\n<p>Sensitive information refers to any data that, if exposed, could harm your application\u2019s users, business, or systems. Common examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Connection strings.<\/li>\n\n\n\n<li>API keys and OAuth tokens.<\/li>\n\n\n\n<li>Client secrets.<\/li>\n\n\n\n<li>Passwords and cryptographic keys.<\/li>\n\n\n\n<li>Cloud service credentials.<\/li>\n<\/ul>\n\n\n\n<p>These values often end up hard-coded in source files or checked into Git repositories by mistake. Once that happens, attackers can easily exploit them. Securing them begins with understanding how configuration works in .NET Core.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2.png\" alt=\"Securing sensitive Information  in .NET Core\" class=\"wp-image-1576\" srcset=\"https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2.png 1024w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-300x300.png 300w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-150x150.png 150w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-768x768.png 768w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-12x12.png 12w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-140x140.png 140w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-256x256.png 256w, https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core-2-950x950.png 950w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuration-basics-in-net-core\">Configuration Basics in .NET Core<\/h2>\n\n\n\n<p>.NET Core applications follow a flexible&nbsp;<strong>configuration system<\/strong>&nbsp;that reads settings from multiple sources. Typical configuration providers include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>appsettings.json<\/code>&nbsp;files.<\/li>\n\n\n\n<li>Environment variables.<\/li>\n\n\n\n<li>Command-line arguments.<\/li>\n\n\n\n<li>Secret managers (for development).<\/li>\n\n\n\n<li>External services like Azure Key Vault.<\/li>\n<\/ul>\n\n\n\n<p>When the application starts, .NET loads these sources in order, allowing later sources to overwrite earlier ones. This approach supports secure, environment-specific configuration.<\/p>\n\n\n\n<p>For instance, the following code shows how the configuration builder can be customized in&nbsp;<code>Program.cs<\/code>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">var builder = WebApplication.CreateBuilder(args);\n\n\/\/ Add configuration from appsettings and environment variables\nbuilder.Configuration\n    .SetBasePath(Directory.GetCurrentDirectory())\n    .AddJsonFile(\"appsettings.json\", optional: false, reloadOnChange: true)\n    .AddJsonFile($\"appsettings.{builder.Environment.EnvironmentName}.json\", optional: true)\n    .AddEnvironmentVariables();\n\nvar app = builder.Build();\n\napp.MapGet(\"\/\", () => \"Configuration Ready!\");\n\napp.Run();\n<\/pre>\n\n\n\n<p>This technique lets you manage settings separately for&nbsp;<strong>Development<\/strong>,&nbsp;<strong>Staging<\/strong>, and&nbsp;<strong>Production<\/strong>&nbsp;environments, keeping sensitive data outside your code base.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-hardcoding-is-dangerous\">Why Hardcoding Is Dangerous<\/h2>\n\n\n\n<p>Many developers still take shortcuts like embedding credentials directly in code or configuration files. It feels convenient at first but creates serious risks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accidental exposure<\/strong>&nbsp;through Git commits or public repositories.<\/li>\n\n\n\n<li><strong>Environment inconsistencies<\/strong>&nbsp;when sharing projects.<\/li>\n\n\n\n<li><strong>Difficult automation and scaling<\/strong>, since secrets need manual updates.<\/li>\n<\/ul>\n\n\n\n<p>Instead of embedding them, use&nbsp;<strong>secure configuration sources<\/strong>&nbsp;that the framework already supports.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"managing-secrets-in-development-with-secret-manage\">Managing Secrets in Development with Secret Manager<\/h2>\n\n\n\n<p>For local development, .NET Core provides the&nbsp;<strong>Secret Manager tool<\/strong>, which stores your sensitive configuration values outside the project folder. It\u2019s perfect for keeping secrets out of version control.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Use Secret Manager<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Enable user secrets in your project:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dotnet user-secrets init\n<\/pre>\n\n\n\n<p>This adds a&nbsp;<code>UserSecretsId<\/code>&nbsp;to your&nbsp;<code>.csproj<\/code>&nbsp;file.<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Add secrets via the CLI:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dotnet user-secrets set \"ConnectionStrings:DefaultConnection\" \"Server=myserver;Database=mydb;User Id=me;Password=mypassword;\"\n<\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Access them in your code like any other configuration value:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">var connectionString = builder.Configuration.GetConnectionString(\"DefaultConnection\");\n<\/pre>\n\n\n\n<p>These secrets are stored in a JSON file within your user profile (not in the project folder). This prevents accidental check-ins and keeps local development safe.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protecting-secrets-in-production-environments\">Protecting Secrets in Production Environments<\/h2>\n\n\n\n<p>When deploying to production, relying on the Secret Manager or local files is unsafe. Secrets must be stored and managed by secure, centralized solutions. Depending on your environment, you have several options.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Environment Variables<\/h2>\n\n\n\n<p>Using environment variables is a simple and effective approach. You can define them directly on the hosting machine, and .NET Core automatically loads them as configuration values:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export ConnectionStrings__DefaultConnection=\"Server=prodserver;Database=main;User Id=sa;Password=Secure123!\"\n<\/pre>\n\n\n\n<p>Or, for Windows PowerShell:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$env:ConnectionStrings__DefaultConnection=\"Server=prodserver;Database=main;User Id=sa;Password=Secure123!\"\n<\/pre>\n\n\n\n<p>In code, access them just like local configuration settings. This approach works well across Docker, Kubernetes, and cloud instances.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-azure-key-vault-with-net-core\">Using Azure Key Vault with .NET Core<\/h2>\n\n\n\n<p>For enterprise-grade applications,&nbsp;<strong>Azure Key Vault<\/strong>&nbsp;is the recommended option. It stores credentials, keys, secrets, and certificates securely, while allowing fine-grained access through&nbsp;<strong>Azure AD<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting Up Azure Key Vault<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a Key Vault in Azure:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">az keyvault create --name MyAppKeyVault --resource-group MyResourceGroup --location westeurope<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Add a secret:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;code&gt;keyvault secret set --vault-name MyAppKeyVault --name &quot;DbPassword&quot; --value &quot;SuperSecret123!&quot;&lt;br&gt;&lt;\/code&gt;<\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Configure .NET Core to use Azure Key Vault:<\/li>\n<\/ol>\n\n\n\n<p>First, add the NuGet package:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;code&gt;dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets&lt;br&gt;&lt;\/code&gt;<\/pre>\n\n\n\n<p>Then, integrate it into your app\u2019s configuration pipeline:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">using Azure.Identity;\n\nvar builder = WebApplication.CreateBuilder(args);\n\n\/\/ Load configuration from Azure Key Vault\nvar keyVaultName = \"MyAppKeyVault\";\nvar kvUri = new Uri($\"https:\/\/{keyVaultName}.vault.azure.net\/\");\n\nbuilder.Configuration.AddAzureKeyVault(kvUri, new DefaultAzureCredential());\n\nvar app = builder.Build();\n\napp.MapGet(\"\/\", () => \"Secrets safely loaded from Azure Key Vault!\");\n\napp.Run();\n<\/pre>\n\n\n\n<p>This setup ensures that your application reads secrets dynamically from the vault, avoiding local storage or hardcoded credentials.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"storing-connection-strings-securely\">Storing Connection Strings Securely<\/h2>\n\n\n\n<p>Connection strings are among the most sensitive types of data in apps. They often include passwords or tokens that grant direct access to databases. To protect them:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use&nbsp;<strong>Integrated Security (Windows Authentication)<\/strong>&nbsp;when possible.<\/li>\n\n\n\n<li>For SQL Server in Azure, use&nbsp;<strong>Managed Identity<\/strong>.<\/li>\n\n\n\n<li>Never store plaintext passwords in files.<\/li>\n\n\n\n<li>Rotate credentials regularly and revoke old ones.<\/li>\n<\/ul>\n\n\n\n<p>In addition, always ensure connection strings are&nbsp;<strong>encrypted at rest and in transit<\/strong>.<\/p>\n\n\n\n<p>For example, in&nbsp;<code>appsettings.json<\/code>, store only placeholder keys:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">{\n  \"ConnectionStrings\": {\n    \"DefaultConnection\": \"Use Key Vault\"\n  }\n}<\/pre>\n\n\n\n<p>Then retrieve the real value from environment variables or Azure Key Vault at runtime.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"encrypting-configuration-sections\">Encrypting Configuration Sections<\/h2>\n\n\n\n<p>If you must store sensitive data in configuration files, consider encrypting the relevant sections. In classic .NET Framework, this was done via configuration providers like&nbsp;<code>RsaProtectedConfigurationProvider<\/code>.<br>In .NET Core, the better pattern is&nbsp;<strong>custom configuration providers<\/strong>&nbsp;that decrypt secrets dynamically.<\/p>\n\n\n\n<p>Here\u2019s a simple example using AES encryption:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">public static class EncryptionHelper\n{\n    public static string Decrypt(string cipherText, string key)\n    {\n        using var aes = Aes.Create();\n        aes.Key = Encoding.UTF8.GetBytes(key.PadRight(32));\n        aes.IV = new byte[16]; \/\/ Example only; use a unique IV\n\n        var decryptor = aes.CreateDecryptor(aes.Key, aes.IV);\n        var buffer = Convert.FromBase64String(cipherText);\n\n        using var ms = new MemoryStream(buffer);\n        using var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read);\n        using var sr = new StreamReader(cs);\n        return sr.ReadToEnd();\n    }\n}\n<\/pre>\n\n\n\n<p>When loading configuration values, call this helper to decrypt them before use.<br>That way, even if someone gains access to your configuration file, secrets remain protected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"avoid-logging-sensitive-information\">Avoid Logging Sensitive Information<\/h2>\n\n\n\n<p><a href=\"https:\/\/oussamasaidi.com\/en\/logging-centralise-avec-opentelemetry-dans-net-core\/\" target=\"_blank\" rel=\"noopener\" title=\"Logging Centralis\u00e9 avec OpenTelemetry dans .NET Core\">Logging <\/a>is vital for debugging and monitoring, but it can easily become a leakage point if not handled carefully. Never log:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Passwords.<\/li>\n\n\n\n<li>Tokens.<\/li>\n\n\n\n<li>Connection strings.<\/li>\n\n\n\n<li>Personal data (emails, addresses, credit card details).<\/li>\n<\/ul>\n\n\n\n<p>Here\u2019s an example of safe <a href=\"https:\/\/oussamasaidi.com\/en\/logging-centralise-avec-opentelemetry-dans-net-core\/\" target=\"_blank\" rel=\"noopener\" title=\"Logging Centralis\u00e9 avec OpenTelemetry dans .NET Core\">logging<\/a>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">_logger.LogInformation(\"User {UserId} attempted to login at {Time}\", userId, DateTime.UtcNow);\n<\/pre>\n\n\n\n<p>Avoid patterns like:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">_logger.LogInformation(\"User {UserId} login with password {Password}\", userId, password);\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-net-data-protection-api\">Using .NET Data Protection API<\/h2>\n\n\n\n<p>The&nbsp;<strong>Data Protection API<\/strong>&nbsp;in .NET Core is an excellent tool for encrypting data like tokens, cookies, or form values. It automatically manages key rotation and supports key storage in a secure location.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example of Using Data Protection<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"csharp\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">using Microsoft.AspNetCore.DataProtection;\n\nvar provider = DataProtectionProvider.Create(\"MyApp\");\nvar protector = provider.CreateProtector(\"Sensitive.Data\");\n\nstring secret = \"mypassword\";\nstring encrypted = protector.Protect(secret);\nstring decrypted = protector.Unprotect(encrypted);\n\nConsole.WriteLine($\"Encrypted: {encrypted}\");\nConsole.WriteLine($\"Decrypted: {decrypted}\");\n<\/pre>\n\n\n\n<p>In production, store the key ring outside the app directory\u2014for example, in Azure Blob Storage or a networked share.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-managed-identities-and-service-principals\">Using Managed Identities and Service Principals<\/h2>\n\n\n\n<p>Cloud environments such as&nbsp;<strong>Azure App Service<\/strong>,&nbsp;<strong>Azure Functions<\/strong>, and&nbsp;<strong>Kubernetes<\/strong>&nbsp;support&nbsp;<strong>Managed Identities<\/strong>. These provide a secure identity for your application to access resources without needing explicit credentials.<\/p>\n\n\n\n<p>When combined with Azure Key Vault, this approach eliminates the need to store secrets entirely. The app authenticates automatically with Azure AD and pulls secrets from Key Vault.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"secure-deployment-practices\">Secure Deployment Practices<\/h2>\n\n\n\n<p>Even with good code hygiene, deployment pipelines can become weak spots. To secure your CI\/CD process:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Store secrets in your CI\/CD system\u2019s&nbsp;<strong>secure variables<\/strong>&nbsp;(e.g., GitHub Secrets, Azure DevOps variable groups).<\/li>\n\n\n\n<li>Avoid printing secrets in logs.<\/li>\n\n\n\n<li>Use separate credentials per environment.<\/li>\n\n\n\n<li>Rotate and revoke tokens regularly.<\/li>\n<\/ul>\n\n\n\n<p>Additionally, scan your repository for accidental leaks using tools like&nbsp;<strong>GitGuardian<\/strong>&nbsp;or&nbsp;<strong>TruffleHog<\/strong>&nbsp;before every release.<\/p>\n\n\n\n<p>Developers often underestimate the importance of&nbsp;<strong>static analysis<\/strong>&nbsp;and&nbsp;<strong>dependency scanning<\/strong>. A vulnerable dependency can compromise your security strategy.<br>Consider integrating:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>dotnet list package --vulnerable<\/code><\/li>\n\n\n\n<li>OWASP Dependency Check<\/li>\n\n\n\n<li>GitHub Dependabot alerts<\/li>\n<\/ul>\n\n\n\n<p>Automating these checks helps you patch risky components before attackers exploit them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"key-points-and-best-practices\">Key Points and Best Practices<\/h2>\n\n\n\n<p>Here\u2019s a quick summary of the practices discussed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Never hardcode credentials or tokens.<\/li>\n\n\n\n<li>Use Secret Manager locally and environment variables or Key Vault in production.<\/li>\n\n\n\n<li>Encrypt sensitive configuration sections when necessary.<\/li>\n\n\n\n<li>Mask confidential values in logs.<\/li>\n\n\n\n<li>Adopt Managed Identity for cloud authentication.<\/li>\n\n\n\n<li>Secure your CI\/CD pipeline and dependencies.<\/li>\n<\/ul>\n\n\n\n<p>Each layer of security reduces attack surface and improves compliance with regulations like GDPR or SOC2<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"final-thoughts\">Final Thoughts<\/h2>\n\n\n\n<p>Security isn\u2019t a one-time task \u2014 it\u2019s an ongoing mindset. Every line of code and every deployment decision must consider the potential risks.<br>The good news? .NET Core gives you all the tools you need to handle secrets responsibly, whether you\u2019re running in the cloud or on-premises.<\/p>\n\n\n\n<p>By building secure coding habits early, you protect not only your application but also your users\u2019 trust. So next time you\u2019re about to push a config file to Git, pause \u2014 and make sure your secrets are truly safe.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Full simple source code is on <a href=\"https:\/\/github.com\/oussama-saidi\/os-tuto-securing-sensitive-information-net-core\" target=\"_blank\" rel=\"noopener\" title=\"\">Github<\/a> <\/p>\n<\/blockquote>\n\n\n\n<p>References:<\/p>\n\n\n\n<p><strong><em><a href=\"https:\/\/learn.microsoft.com\/en-us\/aspnet\/core\/security\/app-secrets?view=aspnetcore-7.0&amp;tabs=windows\" target=\"_blank\" rel=\"noopener\" title=\"\">Safe storage of app secrets in development in ASP.NET Core<\/a><\/em><\/strong><\/p>\n\n\n\n<div class=\"buy-coffee-container\">\n<p style=\"text-align:center; color:#555; font-size:14px;\">\n  If this article helped you, consider supporting my work.\n<\/p>\n  <a\n    href=\"https:\/\/buymeacoffee.com\/oussamasaii\"\n    target=\"_blank\"\n    rel=\"noopener noreferrer\"\n    class=\"buy-coffee-button\"\n  >\n    &#x2615; Buy me a coffee\n  <\/a>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Protecting user data is one of the most critical responsibilities of any software developer. In today\u2019s connected world, even a&#8230; <\/p>\n<div class=\"art-el-more\"><a href=\"https:\/\/oussamasaidi.com\/en\/securing-sensitive-information-in-net-core\/\" class=\"art-link art-color-link art-w-chevron\">Read more<\/a><\/div>","protected":false},"author":1,"featured_media":1575,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[40,68,45,274,275,41,56,17,90,85,84,279,82,83,42,43,44,284,98,20,61],"tags":[48,49,54,97,53,50,51,285,96],"ppma_author":[286],"class_list":["post-1565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-netcore","category-api","category-asp-net","category-azure","category-azure-ai","category-c","category-c-2","category-design","category-devops","category-docker","category-ef-core","category-en","category-entity-framework-core","category-entity-framework-core-2","category-log","category-logging","category-nlog","category-security","category-solid","category-technology","category-web-api","tag-asp-net","tag-c-sharp","tag-c","tag-clean-code","tag-dot-net-core","tag-log","tag-logging","tag-security","tag-solid"],"acf":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/securing-sensitive-information-in-net-core.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1714,"url":"https:\/\/oussamasaidi.com\/en\/https-oussamasaidi-com-restful-api-mastery-best-practices-with-asp-net-core-part-2\/","url_meta":{"origin":1565,"position":0},"title":"RESTful API best practices\u00a0with ASP.NET Core Part 2","author":"Saidi Oussama","date":"December 20, 2025","format":false,"excerpt":"Testing, Performance, Security, Microservices & Deployment Introduction: From Solid Foundations to Production Excellence In Part 1 of RESTful API Mastery, we established the architectural and technical foundations required to build reliable, evolvable RESTful APIs with ASP.NET Core. However, a well-designed API only becomes truly valuable when it is tested, observable,\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"RESTful API Mastery","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-2r.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1639,"url":"https:\/\/oussamasaidi.com\/en\/restful-api-mastery-best-practices-with-asp-net-core\/","url_meta":{"origin":1565,"position":1},"title":"RESTful API Best Practices with ASP.NET Core","author":"Saidi Oussama","date":"December 16, 2025","format":false,"excerpt":"Professional Best Practices, Versioning Strategies & Advanced Serialization (Part 1) In this blog Introduction: Building Enterprise-Grade RESTful APIs with ASP.NET Core1. RESTful APIs in the Modern ASP.NET Core EcosystemWhy REST Still Dominates2. REST Architectural Constraints Every ASP.NET Core API Must EnforceClient\u2013Server SeparationStatelessnessUniform Interface3. Establishing a Clean and Scalable ASP.NET Core\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"RESTful API Mastery","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/12\/restful-api-mastery-best-practices-with-asp-net-core-cover-scaled.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1086,"url":"https:\/\/oussamasaidi.com\/en\/logging-centralise-avec-opentelemetry-dans-net-core\/","url_meta":{"origin":1565,"position":2},"title":"Logging Centralis\u00e9 avec OpenTelemetry dans .NET Core","author":"Saidi Oussama","date":"April 7, 2025","format":false,"excerpt":"Diagramme officiel OpenTelemetry montrant le flux de donn\u00e9es. Source originale. Introduction Dans le monde du d\u00e9veloppement moderne, la gestion des logs est devenue un \u00e9l\u00e9ment critique pour assurer la stabilit\u00e9 et la performance des applications. OpenTelemetry \u00e9merge comme la solution ultime pour impl\u00e9menter une strat\u00e9gie de logging centralis\u00e9e efficace. Ce\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-8-avr.-2025-00_36_08.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1325,"url":"https:\/\/oussamasaidi.com\/en\/building-professional-modern-api-documentation-in-net-core-with-scalar\/","url_meta":{"origin":1565,"position":3},"title":"Building Professional, Modern API Documentation in .NET Core with Scalar","author":"Saidi Oussama","date":"November 19, 2025","format":false,"excerpt":"Introduction In today\u2019s software ecosystem, APIs are everywhere. Whether you are building a mobile application, a microservices architecture, or an internal company platform, your API is often the backbone of the system. But even the best API becomes useless if developers cannot understand how to consume it. This is why\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"Building Professional, Modern API Documentation in .NET Core with Scalar","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/Building-Professional-Modern-API-Documentation-in-.NET-Core-with-Scalar.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1406,"url":"https:\/\/oussamasaidi.com\/en\/net-8-test-driven-design-architecture-7-proven-patterns-to-build-robust-maintainable-systems\/","url_meta":{"origin":1565,"position":4},"title":"Net 8 Test Driven Design Architecture 7 Proven Patterns to Build Robust, Maintainable Systems","author":"Saidi Oussama","date":"November 25, 2025","format":false,"excerpt":"Introduction to Test Driven Design \u2014 What this guide covers If you want a battle-tested approach to designing systems that are maintainable, testable, and production-ready, .Net 8 Test Driven Design Architecture combines the stability of .NET 8 with Test Driven Design discipline and modern architecture patterns. This guide gives patterns,\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/11\/dot-net-8-tdd-architecture-article-cover.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":931,"url":"https:\/\/oussamasaidi.com\/en\/net-9-entity-framework-core-what-is-new\/","url_meta":{"origin":1565,"position":5},"title":"Les Nouveaut\u00e9s d&rsquo;Entity Framework Core avec .NET 9 : Ce Qu&rsquo;il Faut Savoir","author":"Saidi Oussama","date":"January 6, 2025","format":false,"excerpt":"La sortie de .NET 9 s\u2019accompagne de mises \u00e0 jour significatives dans Entity Framework Core (EF Core), le c\u00e9l\u00e8bre ORM de Microsoft. Ces nouveaut\u00e9s visent \u00e0 simplifier les sc\u00e9narios complexes et \u00e0 am\u00e9liorer les performances, la compatibilit\u00e9 cloud et l\u2019int\u00e9gration IA. Voici les cinq principales nouveaut\u00e9s qui transformeront vos projets.\u2026","rel":"","context":"In &quot;.Net Core&quot;","block_context":{"text":".Net Core","link":"https:\/\/oussamasaidi.com\/en\/category\/netcore\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/01\/DALL%C2%B7E-2025-01-06-15.03.46-A-professional-and-modern-banner-image-for-a-WordPress-blog-article-about-the-new-features-of-Entity-Framework-Core-with-.NET-9.-The-design-should-inc.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/01\/DALL%C2%B7E-2025-01-06-15.03.46-A-professional-and-modern-banner-image-for-a-WordPress-blog-article-about-the-new-features-of-Entity-Framework-Core-with-.NET-9.-The-design-should-inc.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/01\/DALL%C2%B7E-2025-01-06-15.03.46-A-professional-and-modern-banner-image-for-a-WordPress-blog-article-about-the-new-features-of-Entity-Framework-Core-with-.NET-9.-The-design-should-inc.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/oussamasaidi.com\/wp-content\/uploads\/2025\/01\/DALL%C2%B7E-2025-01-06-15.03.46-A-professional-and-modern-banner-image-for-a-WordPress-blog-article-about-the-new-features-of-Entity-Framework-Core-with-.NET-9.-The-design-should-inc.webp?resize=700%2C400&ssl=1 2x"},"classes":[]}],"authors":[{"term_id":286,"user_id":1,"is_guest":0,"slug":"oussama_sa","display_name":"Saidi Oussama","avatar_url":{"url":"https:\/\/oussamasaidi.com\/wp-content\/uploads\/2022\/02\/001_001_cv1.jpg","url2x":"https:\/\/oussamasaidi.com\/wp-content\/uploads\/2022\/02\/001_001_cv1.jpg"},"author_category":"1","first_name":"Oussama","last_name":"SAIDI","user_url":"https:\/\/oussamasaidi.com","job_title":"Senior Fullstack .NET Developer","description":"I\u2019m a Senior Fullstack .NET Developer specializing in building scalable, high-performance web applications with .NET, C#, and modern frontend frameworks like React.js. I\u2019m passionate about clean architecture, automated testing, and sharing knowledge through blogs and tutorials."}],"_links":{"self":[{"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/posts\/1565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/comments?post=1565"}],"version-history":[{"count":16,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/posts\/1565\/revisions"}],"predecessor-version":[{"id":1705,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/posts\/1565\/revisions\/1705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/media\/1575"}],"wp:attachment":[{"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/media?parent=1565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/categories?post=1565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/tags?post=1565"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/oussamasaidi.com\/en\/wp-json\/wp\/v2\/ppma_author?post=1565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}