TZacks-2728 avatar image
0 Votes"
TZacks-2728 asked AgaveJoe edited

Guide line for Entity Framework & Entity Framework core data security

i have little knowledge of Entity Framework usage. mostly i work with Sql Helper ADO.Net based wrapper and it has no such data security related features.

so what kind of data security features are there with EF & EF core ?

please provide some good articles or write up links on this subject.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JackJJun-MSFT avatar image
0 Votes"
JackJJun-MSFT answered AgaveJoe edited

@TZacks-2728 , Welcome to Microsoft Q&A, based on my research, it seems that it doesn't have the related data security features in EF and EF Core.
However, you could follow the following points to know how to consider your data security when you use Entity Framework or Entity Framework core.

  1. General Security Considerations(e.g. Secure the connection string.)

  2. Security Considerations for Queries(e.g. Prevent SQL injection attacks.)

  3. Security Considerations for Entities(e.g. Handle exceptions.)

  4. Security Considerations for ASP.NET Applications(e.g. Verify the path length before deployment. )

  5. Security Considerations for ADO.NET Metadata(e.g. Do not expose sensitive information through logging.)

If you want to know more about it, you could refer to the Microsoft doc Security Considerations (Entity Framework).

Hope my advice could help you.

Best Regards,

If the answer is the right solution, please click "Accept Answer" and upvote it.If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

please tell me how to connection string in appsetting.json file ? i do not want to stored encrypted connection string in appsetting.json file rather i am looking for a tool which code with IDE which would encrypt and store connection string in appsetting.json file. i will pass my salt there for encryption. EF will be able to decrypt encrypted connection string from appsetting.json file and also will not reveal that connection string to developer.

how it will be possible ?

please guide me. thanks

0 Votes 0 ·

Please make an effort to read the openly published documentation before posting. This stuff is openly documented and there is little reason to paste the same information in this forum.

Configuration in ASP.NET Core

I recommend taking advantage of User Secrets while developing so secure data does not make its way to source control. Keep in mind encrypted data can be decrypted and the decryption code is in the code with appsetting.json. Any developer with access to the code can decrypt the data.

I store application configuration on the server in environment variables. But, there are other methods like Azure Vault. Again, this information is thoroughly covered in the docs.

0 Votes 0 ·