Don’t run production ASP.NET Applications with debug="true" enabled: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Don’t run production ASP.NET Applications with debug="true" enabled

page 2 of 3

by Scott Guthrie
Feedback

Average Rating:

Views (Total / Last 10 Days): 42443/ 28

Article Contents:

What about binaries compiled with debug symbols?

One scenario that several people find very useful is to compile/pre-compile an application or associated class libraries with debug symbols so that more detailed stack trace and line error messages can be retrieved from it when errors occur.

The good news is that you can do this without having the have the <compilation debug="true"/> switch enabled in production. Specifically, you can use either a web deployment project or a web application project to pre-compile the code for your site with debug symbols, and then change the <compilation debug="true"/> switch to false right before you deploy the application on the server.

The debug symbols and metadata in the compiled assemblies will increase the memory footprint of the application, but this can sometimes be an ok trade-off for more detailed error messages.

The <deployment retail="true"/> Switch in Maching.config

If you are a server administrator and want to ensure that no one accidentally deploys an ASP.NET application in production with the <compilation debug="true"/> switch enabled within the application’s web.config file, one trick you can use with ASP.NET V2.0 is to take advantage of the <deployment> section within your machine.config file.

Specifically, by setting this within your machine.config file:

Listing 1

<configuration>
  <system.web>
    <deployment retail=”true”/>
  </system.web>
</configuration>

You will disable the <compilation debug="true"/> switch, disable the ability to output trace output in a page, and turn off the ability to show detailed error messages remotely. Note that these last two items are security best practices you really want to follow (otherwise hackers can learn a lot more about the internals of your application than you should show them).

Setting this switch to true is probably a best practice that any company with formal production servers should follow to ensure that an application always runs with the best possible performance and no security information leakages. There isn’t a ton of documentation on this switch – but you can learn a little more about it here.

Hope this helps,

Scott

« (Page 1)

View Entire Article

(Page 3) »

User Comments

Title: eCommerce Developer
Name: maitreg
Date: 2009-07-23 9:12:20 AM
Comment:
Hmm, ok, our PCI Compliance officer is also telling us we have to disable ASP.NET debug mode on our product server, but then we won't have any reasonable method for actually debugging our live site!! Right now, I've set it up to trap all errors and email me the file name and line # when an error occurs. But with debug mode off, the file name and line # or unavailable!? So now when an error occurs, I only know that "some" error occurred "somewhere". On a complex ASP.NET Web app with 20,000 lines of code (at least half of which may be executed on any given request), debugging is virtually impossible without the debug mode.

And before you ask, anybody who's ever deployed an ASP.NET Web app will tell you that there are 1000s of errors that could occur in a live enironment that did not occur in the development environment.

Isn't there ANY way to safely leave debug mode on? Or is there some way to debug live apps with the debug mode off that I'm unaware of?

Product Spotlight