include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

Do not enable debug features on production servers.

The .Net Core framework offers multiple features which help during debug. ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage`` and ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage`` are two of them. Make sure that those features are disabled in production.
 Use ``if (env.IsDevelopment())`` to disable debug code.

== Sensitive Code Example

This rule raises issues when the following .Net Core methods are called: ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage``, ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage``. 

----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            // Those calls are Sensitive because it seems that they will run in production
            app.UseDeveloperExceptionPage(); // Sensitive
            app.UseDatabaseErrorPage(); // Sensitive
        }
    }
}

----

== Compliant Solution

----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                // The following calls are ok because they are disabled in production
                app.UseDeveloperExceptionPage(); // Compliant
                app.UseDatabaseErrorPage(); // Compliant
            }
        }
    }
}

----

== Exceptions

This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.

include::../see.adoc[]