ASP.NET Best Practice Analyzer

Friday, August 4, 2006

The alpha release of the ASP.NET Best Practice Analyzer was about 5 weeks ago. Similar to the popular SQL Server BPA, the ASP.NET BPA evaluates a set of best practice rules and tells you about configuration problems in your applications. The tool checks both machine level and application level config files. Currently, the tool only has a handful of rules. It will raise red flags if the application runs in full trust, or if debug / trace flags are enabled, and a few others.

Ironically, the tool suggest AutoEventWireup="false", which isn't the default for C# web forms in VS2005.

I can't think of too many hard and fast rules for web.config settings, but here are a few: more that could be useful:

  • No plaintext passwords in the <identity> section.
  • Make sure the <httpHandlers> section maps appropriate extensions to the HttpForbiddenHandler.
  • Make sure the <pages> section has smartNavigation disabled and validateRequest enabled.
  • No enabled trace sources inside <system.diagnostics>.


Comments
Joe Morel Friday, August 4, 2006
Thanks for the rules suggestions...I'm going to add them to the tool right away. Look for a refresh of the tool to be released in the next couple of weeks!
Comments are closed.

My Pluralsight Courses

K.Scott Allen OdeToCode by K. Scott Allen
What JavaScript Developers Should Know About ECMAScript 2015
The Podcast!