ASP.NET Best Practice Analyzer

Friday, August 4, 2006

The alpha release of the ASP.NET Best Practice Analyzer was about 5 weeks ago. Similar to the popular SQL Server BPA, the ASP.NET BPA evaluates a set of best practice rules and tells you about configuration problems in your applications. The tool checks both machine level and application level config files. Currently, the tool only has a handful of rules. It will raise red flags if the application runs in full trust, or if debug / trace flags are enabled, and a few others.

Ironically, the tool suggest AutoEventWireup="false", which isn't the default for C# web forms in VS2005.

I can't think of too many hard and fast rules for web.config settings, but here are a few: more that could be useful:

  • No plaintext passwords in the <identity> section.
  • Make sure the <httpHandlers> section maps appropriate extensions to the HttpForbiddenHandler.
  • Make sure the <pages> section has smartNavigation disabled and validateRequest enabled.
  • No enabled trace sources inside <system.diagnostics>.

Comments
Joe Morel Friday, August 4, 2006
Thanks for the rules suggestions...I'm going to add them to the tool right away. Look for a refresh of the tool to be released in the next couple of weeks!
Comments are now closed.
Follow Me On Twitter
RSS Subscribe
Contact
Search Archives About
OdeToCode by K. Scott Allen
K.Scott Allen