(C# ASP.NET Core) Status of the App_Data folder in ASP.NET Core and what is the way forward?

Looking for the "protected" App_Data folder in ASP.NET Core? The news is that it doesn't have that status anymore. It is no longer a "Special" folder. However, a workaround exists, and I demonstrate it in this tutorial. This tutorial explains how to read the contents of a notepad file (located in a "protected" folder of any random name). The contents are read from within the application, and displayed. Later we verify that the same notepad file cannot be accessed from the browser. This concept can easily be extended to use XML as a database, a topic we shall explore in some future posts.

Categories | About |     |  


Recap with FAQs about the App_Data Folder

Please go through these questions if you are not already aware about the App_Data folder.

What is App_Data folder?

App_Data was used in the classic ASP.NET WebForms and MVC to store database files or other sensitive data because IIS marks this folder as restricted and the contents are not viewable from the web.

App_Data in ASP.NET Core?

App_Data doesn't have a special status in ASP.NET Core. Nor is |DataDirectory| implemented.

Any workaround in ASP.NET Core?

Yes! You can: For example, if you want to use file based databases, such as of XML files or of notepad files, and would want to read/write them from within your app, but block access to them from outside, then follow the steps explained next.

Step 1 of 3: Create a folder with a notepad file inside it
(see the linked video for clarity)

First right-click the project to create a folder called, say, Dbase. It can be of any name because ASP.NET Core treats all folders equally - whether it is of name App_Data or of any other name.

Next right click the Dbase folder and add a file called db.txt, and write any text into it.

Step 2 of 3: Add a razor page called Index
(see the linked video for clarity)

Write this code into the index.cshtml file


@model Modular.Pages.IndexModel

<h1>Contents of DbFolder/db.txt</h1>


Step 3 of 3: Complete the code-behind Index.cshtml.cs
(see the linked video for clarity)

Write this code into the index.cshtml.cs file

using Microsoft.AspNetCore.Hosting;

using Microsoft.AspNetCore.Mvc.RazorPages;

using System.IO;

namespace Modular.Pages

  public class IndexModel : PageModel

    // dependency injection for 
    // reading the path to the root dir 
    readonly IWebHostEnvironment _env;

    public IndexModel(IWebHostEnvironment env)

      _env = env;


    public void OnGet()

      // construct the path to the notepad file 
      string path = Path.Combine(_env.ContentRootPath, @"Dbase\db.txt");

      // for simplicity, put the data 
      // into viewdata dictionary 
      ViewData["mydata"] = System.IO.File.ReadAllText(path);




What about security?

You can try access the notepad file from the browser - and verify that the request is rejected as not found. Why is it so? ASP.NET Core allows external access to static files only if you specifically configure it through the UseStaticFiles middleware. That should explain why there is no need for a special status to App_Data folder.

Video Explanation with a Working Example
(code given after this video)

Please watch the following youtube video:

This Blog Post/Article "(C# ASP.NET Core) Status of the App_Data folder in ASP.NET Core and what is the way forward?" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.