Please remember to remove design-mode settings from web.config before deploying

I do it, so my site should be safe, right? Well it turns out that the answer is “wrong”!!

One of the websites that shares a webserver with my site left CustomErrors=”Off” in their web.config when they deployed their site.

How does this affect me? Well, there was a problem in the machine.config on the server. That website exposed the error because it had the customerrors off which basically does a little stacktrace dump on the webpage. In the particular case, it happened to show the bad line from the machine.config. What was the bad line? It set up impersonation for 4 websites on the server, of course mine being one of them. So browsing to that other website, showed anyone going there the logins and passwords for four domains.

So, now this is not a best practice, it is a rule. There are plenty of web.config settings that should not get to production!! Pay attention. Please.

TechEd Speakers Charity Auction

  Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.