Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:
An application’s debug features enable developers to find bugs more easily and thus facilitate also the work of attackers. It often gives access to detailed information on both the system running the application and users.
There is a risk if you answered yes to any of those questions.
Do not enable debug features on production servers.
The .Net Core framework offers multiple features which help during debug.
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in
production.
Use If env.IsDevelopment() to disable debug code.
This rule raises issues when the following .Net Core methods are called:
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage,
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage.
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
' Those calls are Sensitive because it seems that they will run in production
app.UseDeveloperExceptionPage() 'Sensitive
app.UseDatabaseErrorPage() 'Sensitive
End Sub
End Class
End Namespace
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
If env.IsDevelopment() Then ' Compliant
' The following calls are ok because they are disabled in production
app.UseDeveloperExceptionPage()
app.UseDatabaseErrorPage()
End If
End Sub
End Class
End Namespace