daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve guidance on security config with app settings files (#32277)

pull/32276/head
Luke Latham 2024-04-08 11:11:05 -04:00 committed by GitHub
parent 9af97c225c
commit c5afb7babd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
aspnetcore/blazor/fundamentals/configuration.md
View File

@ -61,7 +61,7 @@ Other configuration providers registered by the app can also provide configurati
For more information on configuration providers, see <xref:fundamentals/configuration/index>.
> [!WARNING]
> Configuration and settings files are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in the app's configuration or files.**
> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
## App settings configuration
@ -112,7 +112,7 @@ Inject an <xref:Microsoft.Extensions.Configuration.IConfiguration> instance into
Client security restrictions prevent direct access to files via user code, including settings files for app configuration. To read configuration files in addition to `appsettings.json`/`appsettings.{ENVIRONMENT}.json` from the `wwwroot` folder into configuration, use an <xref:System.Net.Http.HttpClient>.
> [!WARNING]
> Configuration and settings files are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in the app's configuration or files.**
> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
The following example reads a configuration file (`cars.json`) into the app's configuration.
@ -225,7 +225,7 @@ Obtain a section of the configuration in C# code with <xref:Microsoft.Extensions
## Authentication configuration
Provide authentication configuration in an app settings file.
Provide ***public*** authentication configuration in an app settings file.
`wwwroot/appsettings.json`:
@ -245,6 +245,9 @@ builder.Services.AddOidcAuthentication(options =>
builder.Configuration.Bind("Local", options.ProviderOptions));
```
> [!WARNING]
> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
## Logging configuration
*This section applies to apps that configure logging via an app settings file in the `wwwroot` folder.*