ASP.NET Best Practice Analyzer

The alpha release of the ASP.NET Best Practice Analyzer was about 5 weeks ago. Similar to the popular SQL Server BPA, the ASP.NET BPA evaluates a set of best practice rules and tells you about configuration problems in your applications. The tool checks both machine level and application level config files. Currently, the tool only has a handful of rules. It will raise red flags if the application runs in full trust, or if debug / trace flags are enabled, and a few others.

Ironically, the tool suggest AutoEventWireup="false", which isn't the default for C# web forms in VS2005.

I can't think of too many hard and fast rules for web.config settings, but here are a few: more that could be useful:

• No plaintext passwords in the <identity> section.
• Make sure the <httpHandlers> section maps appropriate extensions to the HttpForbiddenHandler.
• Make sure the <pages> section has smartNavigation disabled and validateRequest enabled.
• No enabled trace sources inside <system.diagnostics>.