Security, Authentication, and Authorization in ASP.NET Web Forms

We recommend using the most secure secure authentication option. For .NET apps deployed to Azure, see:

• Azure Key Vault libraries for .NET
• .NET Aspire Azure Key Vault integration

Azure Key Vault and .NET Aspire provide the most secure way to store and retrieve secrets. Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. For .NET Aspire, see Secure communication between hosting and client integrations.

Avoid Resource Owner Password Credentials Grant because it:

• Exposes the user's password to the client.
• Is a significant security risk.
• Should only be used when other authentication flows are not possible.

When the app is deployed to a test server, an environment variable can be used to set the connection string to a test database server. Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. We recommend against using environment variables to store a production connection string as it's not the most secure approach.

Configuration data guidelines:

• Never store passwords or other sensitive data in configuration provider code or in plain text configuration files.
• Don't use production secrets in development or test environments.
• Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.

How to let users to log in to your site (and optionally be assigned to roles) using either a login form or Windows authentication.

• Create a secure ASP.NET Web Forms app with user registration, email confirmation and password reset (C#)
• Create an ASP.NET Web Forms app with SMS Two-Factor Authentication (C#)