Closed sadqiang closed 6 years ago
AFAIK, secret.json used for development only. When you as a user have own password and want to override your development configuration. So, data in this json will be only in your computer, not in SVN.
{ "Administrator": { "Password": "My onw developer password" }}
So, secrets.json might be useful for scenario like u have different users, passwords, etc. in different machines, for example of SQL connection.
And for most securable reason in production we have to use Environment variable which overrides both appsettings.json and secret.json:
set Adminitrator__Password TopSecretPasswordForRealDevOps
The example in the book is meant to be for demonstration purposes only, hence a goofy password like NotSecure123!!
. It's a value only used once to seed the database, and the instructions tell the user to change it immediately.
If you need to store and retrieve a sensitive configuration value repeatedly, you should definitely use environment variables (in production) or secrets.json (in development). This example doesn't really fall into that category in my opinion.
I'll investigate not using a hardcoded password in https://github.com/nbarbettini/little-aspnetcore-book/issues/58.
Putting the following data
in
secret.json
and loading them viaIConfiguration con
should be safer as well as it promotes a better practice.Note:
secret.json
will not be uploaded to github repository.