include::../description.adoc[] include::../ask-yourself.adoc[] == Recommended Secure Coding Practices Do not enable debug features on production servers. The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production. Use ``++If env.IsDevelopment()++`` to disable debug code. == Sensitive Code Example This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``. ---- Imports Microsoft.AspNetCore.Builder Imports Microsoft.AspNetCore.Hosting Namespace MyMvcApp Public Class Startup Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment) ' Those calls are Sensitive because it seems that they will run in production app.UseDeveloperExceptionPage() 'Sensitive app.UseDatabaseErrorPage() 'Sensitive End Sub End Class End Namespace ---- == Compliant Solution ---- Imports Microsoft.AspNetCore.Builder Imports Microsoft.AspNetCore.Hosting Namespace MyMvcApp Public Class Startup Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment) If env.IsDevelopment() Then ' Compliant ' The following calls are ok because they are disabled in production app.UseDeveloperExceptionPage() app.UseDatabaseErrorPage() End If End Sub End Class End Namespace ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]