79 lines
2.1 KiB
Plaintext
79 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Do not enable debug features on production servers.
|
|
|
|
|
|
The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production.
|
|
|
|
Use ``++if (env.IsDevelopment())++`` to disable debug code.
|
|
|
|
== Sensitive Code Example
|
|
|
|
This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``.
|
|
|
|
----
|
|
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Hosting;
|
|
|
|
namespace mvcApp
|
|
{
|
|
public class Startup2
|
|
{
|
|
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
|
|
{
|
|
// Those calls are Sensitive because it seems that they will run in production
|
|
app.UseDeveloperExceptionPage(); // Sensitive
|
|
app.UseDatabaseErrorPage(); // Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Hosting;
|
|
|
|
namespace mvcApp
|
|
{
|
|
public class Startup2
|
|
{
|
|
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
|
|
{
|
|
if (env.IsDevelopment())
|
|
{
|
|
// The following calls are ok because they are disabled in production
|
|
app.UseDeveloperExceptionPage(); // Compliant
|
|
app.UseDatabaseErrorPage(); // Compliant
|
|
}
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|