/ whiteweb.security _
whiteweb.security / guides / appsettings.json exposed
appsettings.json High severity ~7 min read

My appsettings.json got exposed. What should I do?

appsettings.json is the central configuration file for ASP.NET Core applications. It commonly holds database connection strings with embedded passwords, third-party API keys, and JWT signing secrets. If it was publicly reachable, every secret inside needs to be treated as compromised.

First: block access, then rotate — don't do it the other way around.

Rotating your database password while the file is still accessible means anyone reading it during that window gets the old credentials — then fetches the file again for the new ones. Block first, rotate second.

// the 60-second version

  • Block access to appsettings.json and appsettings.*.json at the web server or reverse proxy.
  • Rotate every credential in ConnectionStrings and any API key sections.
  • Migrate production secrets to environment variables or Azure Key Vault.
  • Review IIS / Kestrel access logs for requests to the file.

01Understand what appsettings.json typically contains

ASP.NET Core reads appsettings.json at startup to configure the application. In practice, developers frequently place production secrets directly in this file because it's the path of least resistance. Common contents include:

  • ConnectionStrings — ADO.NET and Entity Framework connection strings often embed the SQL Server username and password directly: Server=db.example.com;Database=prod;User Id=sa;Password=secret123;
  • JwtSettings — the SecretKey used to sign and verify JWT tokens. Anyone with this key can forge valid authentication tokens for any user, including administrators.
  • Third-party API keys — Stripe, SendGrid, Twilio, Azure Cognitive Services, and so on.
  • Environment-specific filesappsettings.Production.json and appsettings.Development.json may contain additional or overriding secrets.

A leaked JWT signing key is particularly dangerous. An attacker can craft a token claiming to be any user — including an admin — and your application will accept it as legitimate until you rotate the key and restart.

02Block public access to the file

ASP.NET Core applications deployed under IIS should already block .json config files, but misconfigurations happen. Add an explicit rule:

IIS — block appsettings via web.configweb.config
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="appsettings.json" />
          <add segment="appsettings.Production.json" />
        </hiddenSegments>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

For a Nginx reverse proxy in front of Kestrel:

nginx — block appsettings files/etc/nginx/sites-enabled/…
location ~* appsettings.*\.json$ {
    deny all;
    return 404;
}

03Rotate all exposed credentials

Work through the file section by section and rotate every credential:

  1. SQL Server / database passwords — change the SQL login password in SSMS or via T-SQL, then update the connection string in the app.
  2. JWT SecretKey — generate a new key (at least 256 bits of entropy), update the app, and restart. All existing tokens will become invalid — that's intentional.
  3. Third-party API keys — revoke in each provider's dashboard and generate replacements.
  4. SMTP credentials — change the mail account password and update SendGrid/Mailgun API keys.

Check appsettings.Development.json as well — developers sometimes accidentally replicate production credentials there for convenience, and these files often end up deployed.

04Use environment variables or Azure Key Vault for secrets

ASP.NET Core's configuration system is designed to support secrets via environment variables, which override appsettings.json values and are never written to disk as files. This is the recommended approach for production:

override appsettings via environment variablebash / systemd / IIS env
# ASP.NET Core reads double-underscore as colon separator # so ConnectionStrings:DefaultConnection becomes: export ConnectionStrings__DefaultConnection="Server=...;Password=newsecret" export JwtSettings__SecretKey="new-256-bit-key-here"

For Azure-hosted applications, use Azure Key Vault with managed identity — your app authenticates to Key Vault via its identity, with no credentials in config files at all. For on-premises or containerised deployments, a tool like HashiCorp Vault or AWS Secrets Manager provides equivalent capability.

05Review IIS and application logs

Determine whether the file was accessed and by whom. Check IIS logs for requests to the file URL:

search IIS logs for appsettings requestsPowerShell
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" ` -Pattern "appsettings" | Where-Object { $_ -match " 200 " }

Note every IP address and timestamp that received a 200 response. Correlate the exposure window (earliest possible access to when you blocked it) against your database logs, API provider logs, and application logs for unusual activity. If you find evidence of credential use, escalate your response accordingly.

Was this guide useful?

These playbooks are free to read and share. If a heads-up ever saved you a bad week, you can say thanks — or jump into the other guides.

More guides Buy me a coffee ☕

// related guides

web.config
My web.config got exposed. What should I do?
 .env
My .env file got exposed. What should I do?