ROPC remediation - configuration/index.md, use-http-context.md, new include file

aspnetcore/fundamentals/configuration/index.md

@@ -8,6 +8,7 @@ ms.custom: mvc
 ms.date: 04/26/2024
 uid: fundamentals/configuration/index
 ---
+<!-- ms.sfi.ropc: t -->
 # Configuration in ASP.NET Core
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT) and [Kirk Larkin](https://twitter.com/serpent5)
@@ -158,15 +159,15 @@ Configuration data guidelines:
 * Never store passwords or other sensitive data in configuration provider code or in plain text configuration files. The [Secret Manager](xref:security/app-secrets) tool can be used to store secrets in development.
 * Don't use production secrets in development or test environments.
 * Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
+* Avoid the use of passwords in production apps; for more information, see [Secure authentication flows](xref:security/index#secure-authentication-flows).
 
 By [default](#default), the user secrets configuration source is registered after the JSON configuration sources. Therefore, user secrets keys take precedence over keys in `appsettings.json` and `appsettings.{Environment}.json`.
 
 For more information on storing passwords or other sensitive data:
 
 * <xref:fundamentals/environments>
 * <xref:security/app-secrets>: Includes advice on using environment variables to store sensitive data. The Secret Manager tool uses the [File configuration provider](#fcp) to store user secrets in a JSON file on the local system.
-
-[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) safely stores app secrets for ASP.NET Core apps. For more information, see <xref:security/key-vault-configuration>.
+* [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) safely stores app secrets for ASP.NET Core apps. For more information, see <xref:security/key-vault-configuration>.
 
 <a name="evcp"></a>
 
@@ -408,6 +409,8 @@ The preferred way to read hierarchical configuration data is using the options p
 
 ## Configuration keys and values
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 Configuration keys:
 
 * Are case-insensitive. For example, `ConnectionString` and `connectionstring` are treated as equivalent keys.
@@ -459,6 +462,8 @@ The preceding sequence of providers is used in the [default configuration](#defa
 
 ### Connection string prefixes
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 The Configuration API has special processing rules for four connection string environment variables. These connection strings are involved in configuring Azure connection strings for the app environment. Environment variables with the prefixes shown in the table are loaded into the app with the [default configuration](#default) or when no prefix is supplied to `AddEnvironmentVariables`.
 
 | Connection string prefix | Provider |

aspnetcore/fundamentals/configuration/index/includes/index3-5.md

@@ -1,5 +1,5 @@
 :::moniker range=">= aspnetcore-5.0 < aspnetcore-6.0"
-
+<!-- ms.sfi.ropc: t -->
 <a name="kestrel"></a>
 
 ## Kestrel endpoint configuration
@@ -149,6 +149,8 @@ Custom configuration providers aren't required to implement array binding.
 
 ## Custom configuration provider
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 The sample app demonstrates how to create a basic configuration provider that reads configuration key-value pairs from a database using [Entity Framework (EF)](/ef/core/).
 
 The provider has the following characteristics:

aspnetcore/fundamentals/configuration/index/includes/index6.md

@@ -1,5 +1,5 @@
 :::moniker range="= aspnetcore-6.0"
-
+<!-- ms.sfi.ropc: t -->
 Application configuration in ASP.NET Core is performed using one or more [configuration providers](#cp). Configuration providers read configuration data from key-value pairs using a variety of configuration sources:
 
 * Settings files, such as `appsettings.json`
@@ -135,6 +135,7 @@ Configuration data guidelines:
 * Never store passwords or other sensitive data in configuration provider code or in plain text configuration files. The [Secret Manager](xref:security/app-secrets) tool can be used to store secrets in development.
 * Don't use production secrets in development or test environments.
 * Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
+* Avoid the use of passwords in production apps; for more information, see [Secure authentication flows](xref:security/index#secure-authentication-flows).
 
 By [default](#default), the user secrets configuration source is registered after the JSON configuration sources. Therefore, user secrets keys take precedence over keys in `appsettings.json` and `appsettings.{Environment}.json`.
 
@@ -385,6 +386,8 @@ The preferred way to read hierarchical configuration data is using the options p
 
 ## Configuration keys and values
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 Configuration keys:
 
 * Are case-insensitive. For example, `ConnectionString` and `connectionstring` are treated as equivalent keys.
@@ -436,6 +439,8 @@ The preceding sequence of providers is used in the [default configuration](#defa
 
 ### Connection string prefixes
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 The Configuration API has special processing rules for four connection string environment variables. These connection strings are involved in configuring Azure connection strings for the app environment. Environment variables with the prefixes shown in the table are loaded into the app with the [default configuration](#default) or when no prefix is supplied to `AddEnvironmentVariables`.
 
 | Connection string prefix | Provider |

aspnetcore/fundamentals/configuration/index/includes/index7.md

@@ -1,5 +1,5 @@
 :::moniker range="= aspnetcore-7.0" 
-
+<!-- ms.sfi.ropc: t -->
 Application configuration in ASP.NET Core is performed using one or more [configuration providers](#cp). Configuration providers read configuration data from key-value pairs using a variety of configuration sources:
 
 * Settings files, such as `appsettings.json`
@@ -140,6 +140,7 @@ Configuration data guidelines:
 * Never store passwords or other sensitive data in configuration provider code or in plain text configuration files. The [Secret Manager](xref:security/app-secrets) tool can be used to store secrets in development.
 * Don't use production secrets in development or test environments.
 * Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
+* Avoid the use of passwords in production apps; for more information, see [Secure authentication flows](xref:security/index#secure-authentication-flows).
 
 By [default](#default), the user secrets configuration source is registered after the JSON configuration sources. Therefore, user secrets keys take precedence over keys in `appsettings.json` and `appsettings.{Environment}.json`.
 
@@ -390,6 +391,8 @@ The preferred way to read hierarchical configuration data is using the options p
 
 ## Configuration keys and values
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 Configuration keys:
 
 * Are case-insensitive. For example, `ConnectionString` and `connectionstring` are treated as equivalent keys.
@@ -441,6 +444,8 @@ The preceding sequence of providers is used in the [default configuration](#defa
 
 ### Connection string prefixes
 
+[!INCLUDE [managed-identities](~/includes/managed-identities-conn-strings.md)]
+
 The Configuration API has special processing rules for four connection string environment variables. These connection strings are involved in configuring Azure connection strings for the app environment. Environment variables with the prefixes shown in the table are loaded into the app with the [default configuration](#default) or when no prefix is supplied to `AddEnvironmentVariables`.
 
 | Connection string prefix | Provider |

aspnetcore/fundamentals/configuration/options.md

@@ -17,7 +17,7 @@ when updating this article -->
 
 :::moniker range=">= aspnetcore-7.0"
 
-By [Rick Anderson](https://twitter.com/RickAndMSFT).
+By [Rick Anderson](https://twitter.com/RickAndMSFT)
 
 The options pattern uses classes to provide strongly typed access to groups of related settings. When [configuration settings](xref:fundamentals/configuration/index) are isolated by scenario into separate classes, the app adheres to two important software engineering principles:
 

aspnetcore/fundamentals/use-http-context.md

@@ -4,9 +4,11 @@ author: jamesnk
 description: How to use HttpContext in ASP.NET Core.
 monikerRange: '>= aspnetcore-3.1'
 ms.author: wpickett
-ms.date: 01/31/2022
+ms.date: 10/07/2024
 uid: fundamentals/use-httpcontext
 ---
+<!-- ms.sfi.ropc: t -->
+
 # Use HttpContext in ASP.NET Core
 
 [!INCLUDE[](~/includes/not-latest-version.md)]
@@ -28,7 +30,7 @@ Commonly used members on `HttpRequest` include:
 |<xref:Microsoft.AspNetCore.Http.HttpRequest.Headers?displayProperty=nameWithType>|A collection of request headers.|`user-agent=Edge`<br />`x-custom-header=MyValue`|
 |<xref:Microsoft.AspNetCore.Http.HttpRequest.RouteValues?displayProperty=nameWithType>|A collection of route values. The collection is set when the request is matched to a route.|`language=en`<br />`article=getstarted`|
 |<xref:Microsoft.AspNetCore.Http.HttpRequest.Query?displayProperty=nameWithType>|A collection of query values parsed from <xref:Microsoft.AspNetCore.Http.HttpRequest.QueryString>.|`filter=hello`<br />`page=1`|
-|[HttpRequest.ReadFormAsync()](xref:Microsoft.AspNetCore.Http.HttpRequest.ReadFormAsync(System.Threading.CancellationToken))|A method that reads the request body as a form and returns a form values collection. For information about why `ReadFormAsync` should be used to access form data, see [Prefer ReadFormAsync over Request.Form](xref:fundamentals/best-practices#prefer-readformasync-over-requestform).|`[email protected]`<br />`password=TNkt4taM`|
+|[HttpRequest.ReadFormAsync()](xref:Microsoft.AspNetCore.Http.HttpRequest.ReadFormAsync(System.Threading.CancellationToken))|A method that reads the request body as a form and returns a form values collection. For information about why `ReadFormAsync` should be used to access form data, see [Prefer ReadFormAsync over Request.Form](xref:fundamentals/best-practices#prefer-readformasync-over-requestform).|`[email protected]`|
 |<xref:Microsoft.AspNetCore.Http.HttpRequest.Body?displayProperty=nameWithType>|A <xref:System.IO.Stream> for reading the request body.|UTF-8 JSON payload|
 
 ### Get request headers

aspnetcore/includes/managed-identities-conn-strings.md

@@ -0,0 +1,9 @@
+---
+author: tdykstra
+ms.author: tdykstra
+ms.date: 10/16/2024
+ms.topic: include
+---
+<!-- ms.sfi.ropc: t -->
+> [!WARNING]
+> This article shows the use of connection strings. With a local database the user doesn't have to be authenticated, but in production, connection strings sometimes include a password to authenticate. A resource owner password credential (ROPC) is a security risk that should be avoided in production databases. Production apps should use the most secure authentication flow available. For more information on authentication for apps deployed to test or production environments, see [Secure authentication flows](xref:security/index#secure-authentication-flows).