include::../description.adoc[] include::../ask-yourself.adoc[] == Recommended Secure Coding Practices Do not enable debug features on production servers. The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production. Use ``++if (env.IsDevelopment())++`` to disable debug code. == Sensitive Code Example This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``. ---- using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; namespace mvcApp { public class Startup2 { public void Configure(IApplicationBuilder app, IHostingEnvironment env) { // Those calls are Sensitive because it seems that they will run in production app.UseDeveloperExceptionPage(); // Sensitive app.UseDatabaseErrorPage(); // Sensitive } } } ---- == Compliant Solution ---- using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; namespace mvcApp { public class Startup2 { public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { // The following calls are ok because they are disabled in production app.UseDeveloperExceptionPage(); // Compliant app.UseDatabaseErrorPage(); // Compliant } } } } ---- == Exceptions This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files. include::../see.adoc[] ifdef::env-github,rspecator-view[] == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]