dotnet · Rick-Anderson · Nov 5, 2024 · Oct 24, 2024 · Nov 4, 2024 · Nov 5, 2024
diff --git a/aspnetcore/grpc/code-first.md b/aspnetcore/grpc/code-first.md
@@ -89,9 +89,7 @@ A code-first gRPC client uses the service contract to call gRPC services.
   * Add a [Grpc.Net.Client](https://www.nuget.org/packages/Grpc.Net.Client) package reference.
   * Add a reference to the shared code-contract project.
 
-  [!code-csharp[](code-first/samples/6.x/GrpcGreeterClient/GrpcGreeterClient.csproj?highlight=10-13,15-17)]
-
-[!code-xml[](code-first/samples/6.x/GrpcGreeterClient/GrpcGreeterClient.csproj?highlight=10-13,15-17)]
+  [!code-xml[](code-first/samples/6.x/GrpcGreeterClient/GrpcGreeterClient.csproj?highlight=10-13,15-17)]
 
 * Update the client `program.cs`
 

diff --git a/aspnetcore/migration/80-90.md b/aspnetcore/migration/80-90.md
@@ -63,13 +63,29 @@ In the project file, update each [`Microsoft.AspNetCore.*`](https://www.nuget.or
 -   <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.2" />
 -   <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="8.0.0" />
 -   <PackageReference Include="System.Net.Http.Json" Version="8.0.0" />
-+   <PackageReference Include="Microsoft.AspNetCore.JsonPatch" Version="9.0.0-preview.1.24081.5" />
-+   <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.0-preview.1.24081.2" />
-+   <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="9.0.0-preview.1.24080.9" />
-+   <PackageReference Include="System.Net.Http.Json" Version="9.0.0-preview.1.24080.9" />
++   <PackageReference Include="Microsoft.AspNetCore.JsonPatch" Version="9.0.0" />
++   <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.0" />
++   <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="9.0.0" />
++   <PackageReference Include="System.Net.Http.Json" Version="9.0.0" />
 </ItemGroup>
 ```
 
+## Replace UseStaticFiles with MapStaticAssets
+
+Blazor has different update instructions for `MapStaticAssets` than Razor Pages and ASP.NET Core MVC.
+
+### Blazor web apps
+
+* Replace [UseStaticFiles](/dotnet/api/microsoft.aspnetcore.builder.staticfileextensions.usestaticfiles) with [MapStaticAssets](/dotnet/api/microsoft.aspnetcore.builder.staticassetsendpointroutebuilderextensions.mapstaticassets) in `Program.cs`
+* Update explicit references to static assets in `.razor` files to use the `@Assets["asset-path"]` API. This should ***NOT*** be done for the Blazor framework scripts (`*blazor.\*.js*`).
+* Update the root `App.razor` component to include the `<ImportMap />` component in the head.
+
+### Razor Pages and ASP.NET Core MVC based apps
+
+* Replace [UseStaticFiles](/dotnet/api/microsoft.aspnetcore.builder.staticfileextensions.usestaticfiles) with [MapStaticAssets](/dotnet/api/microsoft.aspnetcore.builder.staticassetsendpointroutebuilderextensions.mapstaticassets) in `Program.cs`
+* Chain a call to `.WithStaticAssets` after `MapRazorPages` or `MapControllerRoute` in `Program.cs`. For an example, see the <xref:fundamentals/static-files?view=aspnetcore-9.0&preserve-view=true>
+* Add `<script type="importmap"></script>` to the head of the main layout file.
+
 ## Blazor
 
 [!INCLUDE[](~/migration/80-to-90/includes/blazor.md)]

diff --git a/aspnetcore/security/index.md b/aspnetcore/security/index.md
@@ -61,7 +61,13 @@ Managed identities are a secure way to authenticate to services without needing
 * [Managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
 * [Secure authentication flows](/entra/identity-platform/authentication-flows-app-scenarios#web-app-that-signs-in-a-user)
 
-When the app is deployed to a test server, an environment variable can be used to set the connection string to a test database server. For more information, see [Configuration](xref:fundamentals/configuration/index). Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. We recommend environment variables not be used to store a production connection string as it's not the most secure approach.
+When the app is deployed to a test server, an environment variable can be used to set the connection string to a test database server. For more information, see [Configuration](xref:fundamentals/configuration/index). Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. We recommend against using environment variables to store a production connection string as it's not the most secure approach.
+
+Configuration data guidelines:
+
+* Never store passwords or other sensitive data in configuration provider code or in plain text configuration files. The [Secret Manager](xref:security/app-secrets) tool can be used to store secrets in development.
+* Don't use production secrets in development or test environments.
+* Specify secrets outside of the project so that they can't be accidentally committed to a source code repository.
 
 Configuration data guidelines: