64 lines
1.9 KiB
Plaintext
64 lines
1.9 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Do not enable debug features on production servers.
|
|
|
|
The .Net Core framework offers multiple features which help during debug. ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage`` and ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage`` are two of them. Make sure that those features are disabled in production.
|
|
Use ``if (env.IsDevelopment())`` to disable debug code.
|
|
|
|
== Sensitive Code Example
|
|
|
|
This rule raises issues when the following .Net Core methods are called: ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage``, ``Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage``.
|
|
|
|
----
|
|
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Hosting;
|
|
|
|
namespace mvcApp
|
|
{
|
|
public class Startup2
|
|
{
|
|
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
|
|
{
|
|
// Those calls are Sensitive because it seems that they will run in production
|
|
app.UseDeveloperExceptionPage(); // Sensitive
|
|
app.UseDatabaseErrorPage(); // Sensitive
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Hosting;
|
|
|
|
namespace mvcApp
|
|
{
|
|
public class Startup2
|
|
{
|
|
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
|
|
{
|
|
if (env.IsDevelopment())
|
|
{
|
|
// The following calls are ok because they are disabled in production
|
|
app.UseDeveloperExceptionPage(); // Compliant
|
|
app.UseDatabaseErrorPage(); // Compliant
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.
|
|
|
|
include::../see.adoc[]
|