The alpha release of the ASP.NET Best Practice Analyzer was about 5 weeks ago. Similar to the popular SQL Server BPA, the ASP.NET BPA evaluates a set of best practice rules and tells you about configuration problems in your applications. The tool checks both machine level and application level config files. Currently, the tool only has a handful of rules. It will raise red flags if the application runs in full trust, or if debug / trace flags are enabled, and a few others.
Ironically, the tool suggest AutoEventWireup="false", which isn't the default for C# web forms in VS2005.
I can't think of too many hard and fast rules for web.config settings, but here are a few: more that could be useful:
- No plaintext passwords in the <identity> section.
- Make sure the <httpHandlers> section maps appropriate extensions to the HttpForbiddenHandler.
- Make sure the <pages> section has smartNavigation disabled and validateRequest enabled.
- No enabled trace sources inside <system.diagnostics>.