Tip 7Do Some Housekeeping before You Deploy Your Web Application
Tracing ASP.NET Web applications is made easy by using the <trace>
element in the Web.config
file as well as the page directive. However, when you are ready to deploy the Web application, be sure to disable tracing at both the page level as well as the application level, which you can do with this code:
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
Also, turn off debug mode in Web.config
<compilation defaultLanguage="vb" debug="false" />
In the <customErrors> element in Web.config
, remember to set the mode attribute to RemoteOnly:
<customErrors mode="RemoteOnly" />
The mode attribute has three possible values:
- "On" always display custom (friendly) messages
- "Off" always display detailed ASP.NET error information.
- "RemoteOnly" displays custom (friendly) messages only to users not running on the local Web server. This setting is recommended for security purposes, so that you do not display application detail information to remote clients.
Last, but not least, remove the Solution and Project files from your deployment server; they are not mapped to the ISAPI filter and hence it is very easy for hackers to guess their name and access their content directly from the Web browser.
Tip 8Use Sessions, but Not Cookie-less Sessions
ASP.NET supports cookie-less sessions, which might seem tempting since many users turn cookies off in their browsers. But don't go down that road: Using cookie-less sessions subjects you to session hijacking, where a hacker can simply use the URL that you are accessing and assume the browsing. The bottom line is, always avoid cookie-less sessions.