include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

include::../impact.adoc[]

// How to fix it section

include::./how-to-fix/net-core.adoc[]

include::./how-to-fix/net-framework.adoc[]

== Resources

=== Documentation

* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytoken?view=msal-web-dotnet-latest[JwtSecurityToken Class Class]
* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.symmetricsecuritykey?view=dotnet-plat-ext-8.0[SymmetricSecurityKey Class]

include::../../../shared_content/secrets/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* When secrets are stored in configuration files:
** Make sure that JWT secret keys used in production are not stored in source control.
* Other cases:
** JWT secret keys should not be disclosed.

=== Highlight

The call to create a new instance of `SymmetricSecurityKey`.

'''
endif::env-github,rspecator-view[]