#csharp #dotnet #backend

Day 25: App Configuration & Secrets

Welcome to Day 25. If you look back at our EF Core and JWT examples, we hardcoded our SQLite connection string and our super secret token key directly into Program.cs.

// TERRIBLE IDEA for production!
var secureKey = "this_is_a_very_long_secret_key!";

If you push this to GitHub, bots will scrape your AWS/Database/API keys within 5 seconds and rack up $10,000 bills on your account. We need to abstract configuration properly.

The appsettings.json File

ASP.NET Core projects ship with an appsettings.json file. This is the centralized hub for non-sensitive configuration data (like your database connection string, pagination limits, and default logging levels).

{
  "Logging": {
    "LogLevel": {
      "Default": "Information"
    }
  },
  "ConnectionStrings": {
    "DefaultConnection": "Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;"
  },
  "JwtSettings": {
    "Issuer": "https://myapp.com",
    "ExpirationMinutes": 60
  }
}

Accessing Configuration

You access these values through the IConfiguration service, which is built into the DI Container by default!

// Program.cs
var builder = WebApplication.CreateBuilder(args);

// Grab the connection string safely
string dbConn = builder.Configuration.GetConnectionString("DefaultConnection");

builder.Services.AddDbContext<AppDbContext>(opt => opt.UseSqlServer(dbConn));

Environments (Dev vs Prod)

Notice you also have an appsettings.Development.json file.

ASP.NET Core looks at your system’s ASPNETCORE_ENVIRONMENT variable. If it’s Development, the framework loads appsettings.json first, and then overwrites those values with anything found in appsettings.Development.json.

This is brilliant, because you can set your local SQLite connection string in the Development file, and your real Cloud PostgreSQL connection string in the base file (or cloud env vars).

User Secrets (Local Security)

But what about the massive JWT Secret Key? It shouldn’t be in appsettings.json at all, because that file targets source control (git).

During local development, .NET provides User Secrets. Right-click your project in VS/Rider, or run this CLI command:

dotnet user-secrets init
dotnet user-secrets set "JwtSettings:Secret" "my_super_secret_local_key"

This saves the secret to a hidden folder in your computer’s user directory (~/.microsoft/usersecrets/...) far away from Git! Yet magically, builder.Configuration["JwtSettings:Secret"] will still find it seamlessly because the framework merges the user secrets into the IConfiguration automatically!

In Production (like Azure or Vercel), you would simply set an Environment Variable named JwtSettings__Secret, and the framework would use that instead!

Challenge for Day 25

Move your hardcoded connection strings or any dummy variables out of your Program.cs and into appsettings.json under a custom AppSettings JSON object. Read them into your code at startup!

Tomorrow: HTTPClient & Consuming External APIs.

← Previous
Day 24: Authorization (Role & Policy-Based)
Next →
Day 26: Consuming External APIs