From 28dda05ff9e859cb5daf10b462e05efb743f1ece Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Wed, 30 Oct 2024 15:59:07 -1000
Subject: [PATCH] Update index.md

---
 aspnetcore/security/index.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/aspnetcore/security/index.md b/aspnetcore/security/index.md
index d8ab5f4c0068..e6d45316ce57 100644
--- a/aspnetcore/security/index.md
+++ b/aspnetcore/security/index.md
@@ -63,6 +63,12 @@ Managed identities are a secure way to authenticate to services without needing
 
 When the app is deployed to a test server, an environment variable can be used to set the connection string to a test database server. For more information, see [Configuration](xref:fundamentals/configuration/index). Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. We recommend environment variables not be used to store a production connection string as it's not the most secure approach.
 
+Configuration data guidelines:
+
+* Never store passwords or other sensitive data in configuration provider code or in plain text configuration files. The [Secret Manager](xref:security/app-secrets) tool can be used to store secrets in development.
+* Don't use production secrets in development or test environments.
+* Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
+
 For more information, see:
 
 * [Managed identity best practice recommendations](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations)