By framework
ASP.NET Core security — production errors, secrets, and authorization
ASP.NET Core is solid, but incidents come from settings: detailed errors exposed in production, secrets hardcoded in appsettings, and missing [Authorize]. Hide prod errors, load secrets from outside config, authorize explicitly. Defensive, no attack steps.
For: anyone running an app or API on ASP.NET Core. No attack steps here — just keeping the solid foundation working while closing the gaps settings open. For the full picture, see the security-by-framework hub.
The big three pitfalls (they open in settings)
ASP.NET Core's mechanisms are excellent, but these three are yours to guard in settings and code.
① Detailed errors in prod
Developer Exception Page etc. leaks internals. Extracted via deliberate errors.
② Secrets in appsettings
Connection strings/keys hardcoded. Leak via accidental commit or exposure.
③ Missing [Authorize]
Forget it and anyone reaches it. No owner check either.
Also watch for unsafe deserialization (BinaryFormatter, etc.), over-posting in model binding, and unpatched NuGet dependency CVEs.
How to close them (3 steps)
Hide detailed errors in production
Load secrets from outside config
Make authorization explicit and cut dangerous input paths
[Authorize] and owner checks to endpoints (default toward deny). Limit over-posting with DTOs or [Bind], and don't deserialize untrusted data with unsafe formats. Keep NuGet dependencies CVE-monitored + patched fast (→ what IDOR is).Common (dangerous)
- Developer Exception Page exposed in production
- secrets hardcoded in
appsettings.json [Authorize]forgotten, no owner check- models accepting every field (over-posting)
Correct
- production hides detailed errors
- secrets from User Secrets/env/Key Vault
- explicit authorization (default deny, owner checks)
- DTOs/[Bind] to limit binding
This site's view: even on a solid foundation, settings and authorization are on you
ASP.NET Core has solid mechanisms for authentication, authorization, and data protection, but production settings and applying authorization are things you must get right per environment and per endpoint. This site is a different stack, but the principle is the same: don't leak internals in production, keep secrets outside config, always write authorization on public entry points, and monitor dependencies for CVEs. A solid foundation only pays off with correct settings and explicit authorization.
Read next
- Hub: security by framework · Spring Boot security (also enterprise, similar dependency/authorization shape)
- Secrets: keep secrets out of public directories · Practice: the vulnerability-response playbook
- Glossary: what IDOR is · what RCE is
FAQ
QIs ASP.NET Core secure?
ASP.NET Core is a mature, solid foundation with strong mechanisms for authentication, authorization, and Data Protection. Used correctly it's powerful, but incidents come not from the core but from settings. Exposing detailed errors in production, hardcoding secrets in appsettings, and forgetting authorization attributes recur less as framework-specific issues than as settings/operations problems.
QWhere should secrets (connection strings, API keys) go?
The rule is: not hardcoded in appsettings.json. In development use User Secrets; in production load from environment variables or a cloud secret manager (e.g. Key Vault). appsettings.json tends to end up in the repo and leaks easily via a public directory or an accidental commit. If one leaks, rotate the connection string or key promptly.
QHow do I prevent forgetting authorization attributes?
Forget [Authorize] on a controller or endpoint and anyone can reach it without authentication. Lean the default toward 'deny' (a fallback policy that rejects unauthenticated requests), make permissions explicit with role/policy-based authorization, and write resource-owner checks. Don't stop at 'logged in = allowed' — verify the owner of the target too.