From b312226f7792b86cbf5a145249ecd00bd685b0ac Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:11:45 -0400 Subject: [PATCH 01/14] Blazor ROPC --- aspnetcore/blazor/blazor-ef-core.md | 2 ++ .../includes/secure-authentication-flows.md | 8 ++++++++ aspnetcore/blazor/security/index.md | 11 +++++++++++ .../account-confirmation-and-password-recovery.md | 4 +++- aspnetcore/blazor/security/server/index.md | 9 +++++++++ aspnetcore/blazor/security/webassembly/index.md | 15 +++++++++++++-- .../webassembly/standalone-with-identity.md | 4 ++++ .../blazor/tutorials/movie-database-app/part-1.md | 2 ++ .../blazor/tutorials/movie-database-app/part-2.md | 4 ++++ .../blazor/tutorials/movie-database-app/part-4.md | 4 +++- 10 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 aspnetcore/blazor/security/includes/secure-authentication-flows.md diff --git a/aspnetcore/blazor/blazor-ef-core.md b/aspnetcore/blazor/blazor-ef-core.md index 8d2ad9ed048d..fe0d7e580da7 100644 --- a/aspnetcore/blazor/blazor-ef-core.md +++ b/aspnetcore/blazor/blazor-ef-core.md @@ -148,6 +148,8 @@ The fastest way to create a new i * Using [`DbContextOptions`](/ef/core/miscellaneous/configuring-dbcontext#configuring-dbcontextoptions) to configure the context. * Using a connection string per , such as when you use [ASP.NET Core's Identity model](xref:security/authentication/customize_identity_model). For more information, see [Multi-tenancy (EF Core documentation)](/ef/core/miscellaneous/multitenancy). +[!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] + The recommended approach to create a new with dependencies is to use a factory. EF Core 5.0 or later provides a built-in factory for creating new contexts. :::moniker range="< aspnetcore-5.0" diff --git a/aspnetcore/blazor/security/includes/secure-authentication-flows.md b/aspnetcore/blazor/security/includes/secure-authentication-flows.md new file mode 100644 index 000000000000..f8eadcf3ce05 --- /dev/null +++ b/aspnetcore/blazor/security/includes/secure-authentication-flows.md @@ -0,0 +1,8 @@ +--- +author: guardrex +ms.author: riande +ms.date: 09/30/2024 +ms.topic: include +--- +> [!WARNING] +> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. Server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, or environment variables. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index ad48066f3da9..010122d66aef 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -43,6 +43,17 @@ ASP.NET Core abstractions, such as [!NOTE] > The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core in .NET 6 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from examples in this article. +## Securely maintain sensitive data and credentials + +Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private .NET/C# code, or private keys/tokens in client-side code, which is ***always insecure***. Client-side Blazor code should access secure services and databases through a secure web API that you control. + +Server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, or environment variables. For more information, see the following resources: + +* [Secure authentication flows (ASP.NET Core documentation)](xref:security/index#secure-authentication-flows) +* [Managed identities for Microsoft Azure services (this article)](#managed-identities-for-microsoft-azure-services) + +During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. + ## Managed identities for Microsoft Azure services For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources: diff --git a/aspnetcore/blazor/security/server/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/server/account-confirmation-and-password-recovery.md index 1398cf63424f..568b3d64e619 100644 --- a/aspnetcore/blazor/security/server/account-confirmation-and-password-recovery.md +++ b/aspnetcore/blazor/security/server/account-confirmation-and-password-recovery.md @@ -40,7 +40,7 @@ builder.Services.Configure(builder.Configuration); ## Configure a user secret for the provider's security key -Set the key with the [secret-manager tool](xref:security/app-secrets). In the following example, the key name is `EmailAuthKey` and the key is represented by the `{KEY}` placeholder. In a command shell, navigate to the app's root folder and execute the following command with the API key: +Set the key with the [Secret Manager tool](xref:security/app-secrets). In the following example, the key name is `EmailAuthKey`, and the key is represented by the `{KEY}` placeholder. In a command shell, navigate to the app's root folder and execute the following command with the API key: ```dotnetcli dotnet user-secrets set "EmailAuthKey" "{KEY}" @@ -48,6 +48,8 @@ dotnet user-secrets set "EmailAuthKey" "{KEY}" For more information, see . +[!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] + ## Implement `IEmailSender` Implement `IEmailSender` for the provider. The following example is based on Mailchimp's Transactional API using [Mandrill.net](https://www.nuget.org/packages/Mandrill.net). For a different provider, refer to their documentation on how to implement sending a message in the `Execute` method. diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 856c6cc08096..e1fdfe99cf2c 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -28,6 +28,15 @@ Blazor differs from a traditional server-rendered web apps that make new HTTP re > [!NOTE] > The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core in .NET 6 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from the examples in this article. +## Server-side security of sensitive data and credentials + +Server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, or environment variables. For more information, see the following resources: + +* [Secure authentication flows (ASP.NET Core documentation)](xref:security/index#secure-authentication-flows) +* [Managed identities for Microsoft Azure services (this article)](#managed-identities-for-microsoft-azure-services) + +During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. + ## Project template Create a new server-side Blazor app by following the guidance in . diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index 0b1e1b5309e4..a76cd2c871e7 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -16,12 +16,23 @@ Blazor WebAssembly apps are secured in the same manner as single-page applicatio The Blazor WebAssembly security documentation primarily focuses on how to accomplish user authentication and authorization tasks. For OAuth 2.0/OIDC general concept coverage, see the resources in the [main overview article's *Additional resources* section](xref:blazor/security/index#additional-resources). -## Client-side/SPA security +## Client-side/SPA security of sensitive data and credentials -A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place anything of a secret nature into a Blazor WebAssembly app, such as private .NET/C# code, security keys, passwords, or any other type of sensitive information. +A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place anything of a secret nature into a Blazor WebAssembly app: + +* App secrets +* Connection strings +* Credentials +* Passwords +* Personal identification numbers (PINs) +* Private .NET/C# code +* Private keys/tokens +* Sensitive data To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/data-protection/introduction) features to secure data, use a server-side ASP.NET Core web API. Have the client-side Blazor WebAssembly app call the server-side web API for secure app features and data processing. For more information, see and the articles in this node. +During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. + ## Authentication library Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library using the [Microsoft Identity Platform](/entra/identity-platform/). The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP). diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index ce38bdab7b8d..c9a476d8a946 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -94,6 +94,10 @@ For additional Identity scenarios provided by the API, see object. For local development, the connection string is read from the `appsettings.json` file. +[!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] + ## Test the app Run the app. diff --git a/aspnetcore/blazor/tutorials/movie-database-app/part-4.md b/aspnetcore/blazor/tutorials/movie-database-app/part-4.md index 937d263ab500..b44113a9a302 100644 --- a/aspnetcore/blazor/tutorials/movie-database-app/part-4.md +++ b/aspnetcore/blazor/tutorials/movie-database-app/part-4.md @@ -97,7 +97,9 @@ The following is an example connection string: > :::no-loc text="Server=(localdb)\\mssqllocaldb;Database=BlazorWebAppMoviesContext-c347f669-bddf-56a3-a32e-7fe010306593;Trusted_Connection=True;MultipleActiveResultSets=true"::: -When the app is deployed to a test/staging or production server, an environment variable can be used to set the connection string to a test/staging or production database server. +When the app is deployed to a test/staging or production server, securely store the connection string outside of the project's configuration files. + +[!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] ## Database technology From 16fdb9bbe96f38012e3dc0fe46efa6181f952e32 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:16:56 -0400 Subject: [PATCH 02/14] Updates --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index e1fdfe99cf2c..05d3f5487c65 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -33,7 +33,7 @@ Blazor differs from a traditional server-rendered web apps that make new HTTP re Server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, or environment variables. For more information, see the following resources: * [Secure authentication flows (ASP.NET Core documentation)](xref:security/index#secure-authentication-flows) -* [Managed identities for Microsoft Azure services (this article)](#managed-identities-for-microsoft-azure-services) +* [Managed identities for Microsoft Azure services (Blazor documentation)](xref:blazor/security/index#managed-identities-for-microsoft-azure-services) During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. From 03921a2102f88c9ed9ccf76ccbb4bdcd42bfed3a Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:27:11 -0400 Subject: [PATCH 03/14] Updates --- .../blazor/security/includes/secure-authentication-flows.md | 2 +- aspnetcore/blazor/security/index.md | 2 +- aspnetcore/blazor/security/server/index.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/includes/secure-authentication-flows.md b/aspnetcore/blazor/security/includes/secure-authentication-flows.md index f8eadcf3ce05..04598f16de36 100644 --- a/aspnetcore/blazor/security/includes/secure-authentication-flows.md +++ b/aspnetcore/blazor/security/includes/secure-authentication-flows.md @@ -5,4 +5,4 @@ ms.date: 09/30/2024 ms.topic: include --- > [!WARNING] -> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. Server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, or environment variables. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). +> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, and environment variables. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index 010122d66aef..de9af9b335ce 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -47,7 +47,7 @@ ASP.NET Core abstractions, such as Date: Mon, 30 Sep 2024 10:30:44 -0400 Subject: [PATCH 04/14] Updates --- aspnetcore/blazor/security/index.md | 2 +- aspnetcore/blazor/security/server/index.md | 2 +- aspnetcore/blazor/security/webassembly/index.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index de9af9b335ce..6ecf71bccf44 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -52,7 +52,7 @@ In test/staging and production environments, server-side Blazor code and web API * [Secure authentication flows (ASP.NET Core documentation)](xref:security/index#secure-authentication-flows) * [Managed identities for Microsoft Azure services (this article)](#managed-identities-for-microsoft-azure-services) -During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. +For client-side and server-side local development and testing, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. ## Managed identities for Microsoft Azure services diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index dc70f146be53..722005abc1e1 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -35,7 +35,7 @@ In test/staging and production environments, server-side Blazor code and web API * [Secure authentication flows (ASP.NET Core documentation)](xref:security/index#secure-authentication-flows) * [Managed identities for Microsoft Azure services (Blazor documentation)](xref:blazor/security/index#managed-identities-for-microsoft-azure-services) -During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. +For client-side and server-side local development and testing, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. ## Project template diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index a76cd2c871e7..22316f16ba16 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -31,7 +31,7 @@ A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/data-protection/introduction) features to secure data, use a server-side ASP.NET Core web API. Have the client-side Blazor WebAssembly app call the server-side web API for secure app features and data processing. For more information, see and the articles in this node. -During development, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. +For client-side and server-side local development and testing, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. ## Authentication library From 1e91a925253891be2d59d8f2eea4d55f6b037aa3 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:33:37 -0400 Subject: [PATCH 05/14] Updates --- .../blazor/security/webassembly/standalone-with-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index c9a476d8a946..84ae790caa97 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -94,7 +94,7 @@ For additional Identity scenarios provided by the API, see Date: Mon, 30 Sep 2024 11:13:40 -0400 Subject: [PATCH 06/14] Updates --- .../security/blazor-web-app-with-oidc.md | 54 +++---------------- 1 file changed, 8 insertions(+), 46 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index 4d4b105d8089..e115c1998e80 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -111,31 +111,12 @@ The following : The OIDC client secret. - **The following example is only for testing and demonstration purposes. Don't store the client secret in the app's assembly or check the secret into source control.** Store the client secret in [User Secrets](xref:security/app-secrets), [Azure Key Vault](xref:security/key-vault-configuration), or an [environment variable](xref:fundamentals/configuration/index#non-prefixed-environment-variables). - - Authentication scheme configuration is automatically read from `builder.Configuration["Authentication:Schemes:{SCHEME NAME}:{PropertyName}"]`, where the `{SCHEME NAME}` placeholder is the scheme, which is `MicrosoftOidc`. Because configuration is preconfigured, a client secret can automatically be read via the `Authentication:Schemes:MicrosoftOidc:ClientSecret` configuration key. On the server using environment variables, name the environment variable `Authentication__Schemes__MicrosoftOidc__ClientSecret`: + Don't store the client secret in the app's assembly or check the secret into source control. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). - ```dotnetcli - set Authentication__Schemes__MicrosoftOidc__ClientSecret={CLIENT SECRET} - ``` + **For local development and testing**, use one of the following approaches: - **For demonstration and testing only**, the can be set directly. Don't set the value directly for deployed production apps. For slightly improved security, [conditionally compile](/dotnet/csharp/language-reference/preprocessor-directives#conditional-compilation) the line with the `DEBUG` symbol: - - ```csharp - #if DEBUG - oidcOptions.ClientSecret = "{CLIENT SECRET}"; - #endif - ``` - - Example: - - Client secret (`{CLIENT SECRET}`): `463471c8c4...f90d674bc9` (shortened for display) - - ```csharp - #if DEBUG - oidcOptions.ClientSecret = "463471c8c4...137f90d674bc9"; - #endif - ``` + * Use the [Secret Manager tool](xref:security/app-secrets) to secure the secret locally. + * Authentication scheme configuration is automatically read from `builder.Configuration["Authentication:Schemes:{SCHEME NAME}:{PropertyName}"]`, where the `{SCHEME NAME}` placeholder is the scheme, which is `MicrosoftOidc`. Because configuration is preconfigured, a client secret can automatically be read during local development via the `Authentication:Schemes:MicrosoftOidc:ClientSecret` configuration key from an `appsettings.Development.json` file. * : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. @@ -379,31 +360,12 @@ The following : The OIDC client secret. - **The following example is only for testing and demonstration purposes. Don't store the client secret in the app's assembly or check the secret into source control.** Store the client secret in [User Secrets](xref:security/app-secrets), [Azure Key Vault](xref:security/key-vault-configuration), or an [environment variable](xref:fundamentals/configuration/index#non-prefixed-environment-variables). - - Authentication scheme configuration is automatically read from `builder.Configuration["Authentication:Schemes:{SCHEME NAME}:{PropertyName}"]`, where the `{SCHEME NAME}` placeholder is the scheme, which is `MicrosoftOidc`. Because configuration is preconfigured, a client secret can automatically be read via the `Authentication:Schemes:MicrosoftOidc:ClientSecret` configuration key. On the server using environment variables, name the environment variable `Authentication__Schemes__MicrosoftOidc__ClientSecret`: + Don't store the client secret in the app's assembly or check the secret into source control. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). - ```dotnetcli - set Authentication__Schemes__MicrosoftOidc__ClientSecret={CLIENT SECRET} - ``` + **For local development and testing**, use one of the following approaches: - **For demonstration and testing only**, the can be set directly. Don't set the value directly for deployed production apps. For slightly improved security, [conditionally compile](/dotnet/csharp/language-reference/preprocessor-directives#conditional-compilation) the line with the `DEBUG` symbol: - - ```csharp - #if DEBUG - oidcOptions.ClientSecret = "{CLIENT SECRET}"; - #endif - ``` - - Example: - - Client secret (`{CLIENT SECRET}`): `463471c8c4...f90d674bc9` (shortened for display) - - ```csharp - #if DEBUG - oidcOptions.ClientSecret = "463471c8c4...137f90d674bc9"; - #endif - ``` + * Use the [Secret Manager tool](xref:security/app-secrets) to secure the secret locally. + * Authentication scheme configuration is automatically read from `builder.Configuration["Authentication:Schemes:{SCHEME NAME}:{PropertyName}"]`, where the `{SCHEME NAME}` placeholder is the scheme, which is `MicrosoftOidc`. Because configuration is preconfigured, a client secret can automatically be read during local development via the `Authentication:Schemes:MicrosoftOidc:ClientSecret` configuration key from an `appsettings.Development.json` file. * : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. From 3634c6ccbbcb6f6723ca2775b2fa65d693d3e2b0 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 11:43:50 -0400 Subject: [PATCH 07/14] Updates --- aspnetcore/blazor/security/webassembly/index.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index 22316f16ba16..c03c1fc54060 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -18,16 +18,7 @@ The Blazor WebAssembly security documentation primarily focuses on how to accomp ## Client-side/SPA security of sensitive data and credentials -A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place anything of a secret nature into a Blazor WebAssembly app: - -* App secrets -* Connection strings -* Credentials -* Passwords -* Personal identification numbers (PINs) -* Private .NET/C# code -* Private keys/tokens -* Sensitive data +A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place anything of a secret nature into a Blazor WebAssembly app, such as app secrets, connection strings, passwords, private .NET/C# code, or other sensitive data. To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/data-protection/introduction) features to secure data, use a server-side ASP.NET Core web API. Have the client-side Blazor WebAssembly app call the server-side web API for secure app features and data processing. For more information, see and the articles in this node. From 475ecc368b85313316964a17f28c7c1c06242d7b Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 11:44:58 -0400 Subject: [PATCH 08/14] Updates --- aspnetcore/blazor/security/webassembly/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index c03c1fc54060..268667f14989 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -18,7 +18,7 @@ The Blazor WebAssembly security documentation primarily focuses on how to accomp ## Client-side/SPA security of sensitive data and credentials -A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place anything of a secret nature into a Blazor WebAssembly app, such as app secrets, connection strings, passwords, private .NET/C# code, or other sensitive data. +A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place data of a secret nature into a Blazor WebAssembly app, such as app secrets, connection strings, passwords, private .NET/C# code, or other sensitive data. To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/data-protection/introduction) features to secure data, use a server-side ASP.NET Core web API. Have the client-side Blazor WebAssembly app call the server-side web API for secure app features and data processing. For more information, see and the articles in this node. From 8a66de641bf397b8dcdeb8758497885f6df8a5fb Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:35:53 -0400 Subject: [PATCH 09/14] Updates --- .../blazor/security/includes/secure-authentication-flows.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/aspnetcore/blazor/security/includes/secure-authentication-flows.md b/aspnetcore/blazor/security/includes/secure-authentication-flows.md index 04598f16de36..ee4f0d5944ab 100644 --- a/aspnetcore/blazor/security/includes/secure-authentication-flows.md +++ b/aspnetcore/blazor/security/includes/secure-authentication-flows.md @@ -1,8 +1,2 @@ ---- -author: guardrex -ms.author: riande -ms.date: 09/30/2024 -ms.topic: include ---- > [!WARNING] > Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, and environment variables. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). From a6d5797cf7e8bc4c7f442217e6e2eed88f760021 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:00:10 -0400 Subject: [PATCH 10/14] Update aspnetcore/blazor/security/webassembly/index.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> --- aspnetcore/blazor/security/webassembly/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index 268667f14989..f53cb9e4856f 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -18,7 +18,7 @@ The Blazor WebAssembly security documentation primarily focuses on how to accomp ## Client-side/SPA security of sensitive data and credentials -A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place data of a secret nature into a Blazor WebAssembly app, such as app secrets, connection strings, passwords, private .NET/C# code, or other sensitive data. +A Blazor WebAssembly app's .NET/C# codebase is served to clients, and the app's code can't be protected from inspection and tampering by users. Never place credentials or secrets into a Blazor WebAssembly app, such as app secrets, connection strings, passwords, private .NET/C# code, or other sensitive data. To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/data-protection/introduction) features to secure data, use a server-side ASP.NET Core web API. Have the client-side Blazor WebAssembly app call the server-side web API for secure app features and data processing. For more information, see and the articles in this node. From 715a134e16d7afe4df101e98bc3b0c25129948e2 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:18:08 -0400 Subject: [PATCH 11/14] Updates --- aspnetcore/blazor/components/data-binding.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aspnetcore/blazor/components/data-binding.md b/aspnetcore/blazor/components/data-binding.md index ae3f5db72a19..0c6d22b60228 100644 --- a/aspnetcore/blazor/components/data-binding.md +++ b/aspnetcore/blazor/components/data-binding.md @@ -658,6 +658,8 @@ In a more sophisticated and real-world example, the following `PasswordEntry` co * Exposes changes of a `Password` property to a parent component with an [`EventCallback`](xref:blazor/components/event-handling#eventcallback) that passes in the current value of the child's `password` field as its argument. * Uses the `onclick` event to trigger the `ToggleShowPassword` method. For more information, see . +[!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] + `PasswordEntry.razor`: :::moniker range=">= aspnetcore-8.0" From 855c82f7bc4855db1108739f3938c6542db86568 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:21:38 -0400 Subject: [PATCH 12/14] Updates --- aspnetcore/blazor/security/blazor-web-app-with-oidc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index e115c1998e80..77553c551848 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -116,7 +116,7 @@ The following : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. @@ -365,7 +365,7 @@ The following : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. From 8cbf481cdd7853f8dd5ed540c97d74d19ae44c0d Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 8 Oct 2024 03:26:01 -0400 Subject: [PATCH 13/14] Updates --- .../blazor/security/includes/secure-authentication-flows.md | 2 +- aspnetcore/blazor/security/index.md | 2 +- aspnetcore/blazor/security/server/index.md | 2 +- aspnetcore/blazor/security/webassembly/index.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aspnetcore/blazor/security/includes/secure-authentication-flows.md b/aspnetcore/blazor/security/includes/secure-authentication-flows.md index ee4f0d5944ab..d12f2d06d254 100644 --- a/aspnetcore/blazor/security/includes/secure-authentication-flows.md +++ b/aspnetcore/blazor/security/includes/secure-authentication-flows.md @@ -1,2 +1,2 @@ > [!WARNING] -> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code, configuration files, and environment variables. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). +> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code or configuration files. Outside of local development testing, avoid the use of environment variables to store sensitive data, as environment variables aren't the most secure approach. For local development testing, the [Secret Manager tool](xref:security/app-secrets) is recommended for securing sensitive data. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index 6ecf71bccf44..104833a3f8f2 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -47,7 +47,7 @@ ASP.NET Core abstractions, such as and the articles in this node. -For client-side and server-side local development and testing, use the [Secret Manager tool](xref:security/app-secrets) to secure sensitive credentials. +For local development testing, the [Secret Manager tool](xref:security/app-secrets) is recommended for securing sensitive data. ## Authentication library From e53b81812019eddb1a522c08d35c9a1b86790ae0 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 8 Oct 2024 06:32:25 -0400 Subject: [PATCH 14/14] Updates --- .../blazor/security/includes/secure-authentication-flows.md | 2 +- aspnetcore/blazor/security/index.md | 2 +- aspnetcore/blazor/security/server/index.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/includes/secure-authentication-flows.md b/aspnetcore/blazor/security/includes/secure-authentication-flows.md index d12f2d06d254..b3567bf4e229 100644 --- a/aspnetcore/blazor/security/includes/secure-authentication-flows.md +++ b/aspnetcore/blazor/security/includes/secure-authentication-flows.md @@ -1,2 +1,2 @@ > [!WARNING] -> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code or configuration files. Outside of local development testing, avoid the use of environment variables to store sensitive data, as environment variables aren't the most secure approach. For local development testing, the [Secret Manager tool](xref:security/app-secrets) is recommended for securing sensitive data. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). +> Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code or configuration files. Outside of local development testing, we recommend avoiding the use of environment variables to store sensitive data, as environment variables aren't the most secure approach. For local development testing, the [Secret Manager tool](xref:security/app-secrets) is recommended for securing sensitive data. For more information, see [Securely maintain sensitive data and credentials](xref:blazor/security/index#securely-maintain-sensitive-data-and-credentials). diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index 104833a3f8f2..c11fe65fd28d 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -47,7 +47,7 @@ ASP.NET Core abstractions, such as