I'm in the process of creating a new ASP.NET Core Web app and am converting .NET standard into .NET Core. All the tutorials mention a Startup.cs that is missing from this version of .NET Core application.
After Troubleshooting, I may have found a solution but want to confirm if this is viable from a security standpoint.
In my Key Vault, I have entries correctly loaded. In appsettings.json, I have entries loaded into Sections using the same name from Key Vault Keys
appsettings.json
"Api": {
"ConnectorId": "",
"ClientSecret": "",
"PRODBaseUrl": "",
"CertificateSubjectName": "",
"RoutingId": "",
"Thumbprint": ""
}
Program.cs
builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
new DefaultAzureCredential());
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
foreach (IConfigurationSection? item in app.Configuration.GetChildren())
{
foreach (var sectionItem in item.GetChildren())
{
var test = sectionItem;
if (test.Key != null && string.IsNullOrEmpty(test.Value))
app.Configuration[test.Key] = builder.Configuration[test.Key];
}
}
app.UseHsts();
}
As far as functionality, this seems to work exactly how I need it to.
Am I on the right path, or are there some security implications for the above usage?