Learn what secrets in an application are and why it is important to securely save and use them. Then learn where they are stored and how you can securely use them without exposing critical and sensitive data to attackers. Additionally, explore the Secret Manager tool and how it works.
- [Instructor] Most web apps need to store some configuration information that can be accessed by the application during the runtime. This may include database connection strings and API keys, which are not user-specific confidential values, but are still sensitive pieces of information that need to be protected. It is not a good practice to have such information included in our source code, and later, deploy to our servers or publish it to GitHub because, this way, we might give unauthorized users access to really sensitive data in our apps. A piece of sensitive data is an app secret, and app secrets need to be stored in a separate location from the project tree. In Visual Studio, we can use the Secret Manager tool to manage our app secrets. So let us now go to Visual Studio and see where does the Secrets Manager store the secret data. In here, if you go to the Solution Explorer, we are going to see that we have created a web API project. Inside the Controllers folder, we have a SecretsController.cs file, which has only one ActionResult, which returns an OK message. So if we are on the application, this is the result that we get. Now let us go back to Visual Studio, go to Solution Explorer, right-click on the project, and then go to the Edit Secrets.csproject file. In here, you are going to see that we have some configurations, but none of these configurations is related to our secrets file. Let us go back to the Solution Explorer, right-click on the secrets project, and then go to the Manage User Secrets option. Now we see that a secrets.json file was automatically generated. But where is this file located? To find out where this file is located, go to your File Explorer, then type in the URL up here, appdata, then go to Microsoft, UserSecrets. Here, we are going to see that a file with a good name will generate it. Where does this value come from? Let us go back to Visual Studio. If we go to Solution Explorer, right-click on the project, and then we go to the Edit Secrets project. Here now, we are going to see that because we opened the User Secrets Manager for the first time, a UserSecretsId was automatically generated, and the value that we see in here is used to configure the Secrets.json file location with our project UserSecretsId. So if we go back to the File Explorer, we are going to see that we have the name of the UserSecretsId that we have in Visual Studio. Now let us go back to the Solution Explorer and create another project. So, in Solution Explorer, I will just right-click on the Solution, go to Add, New Project, choose the first option, name this one Secrets.Test, and then click the OK button to create this project. Choose any version of .NET Core and then click the OK button. So now we see that the Secrets.Text project was created. If we go to the File Explorer, inside the Secrets folder, we see that we don't have a UserSecretsId for the other project, and that's right because we didn't open the Secrets Manager for the first time. So let us go back to Visual Studio, go to Solution Explorer, right-click on the project, and go to Manage User Secrets. Now, if we right-click on the Secrets.Test project and then go to Edit Secrets.Test, we are going to see that a UserSecretsId was generated, ending in ee0. Let us go back to File Explorer. Here, we are going to see that we have a new folder with the name of the new app secrets ID. But the most important information in here is that the app secrets folder is completely separated from our Solution folder, which means that all the sensitive data that we store in our Secrets.json file is going to be separated from our main solution. So in case we deploy a work project to a server or we publish our source code to GitHub, we are not going to have our secret values exposed.