Differences

This shows you the differences between two versions of the page.

--- asp_net_mvc_security_check_list [2013/05/14 03:47] – [Threat: Cross-Site Scripting] stephen
+++ asp_net_mvc_security_check_list [2017/01/01 20:05] (current) – external edit 127.0.0.1
@@ Line 28: / Line 28: @@
     * (Preferred) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
     * (Acceptable) Review all controller action methods and ensure no ''return Redirect(url);'' method calls exist (they should be replaced by ''return RedirectToLocal(url);'').
+===== Threat: Stack Trace Leakage =====
+  * (Preferred) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''machine.config'' of the web server (found at ''%windir%\Microsoft\.NET\Framework\<frameworkversion>\Config''), switch on 'retail':<code xml>
+<system.web>
+  <deployment retail="true" />
+</system.web>
+</code> This will set ''customErrors'' mode to On and disable trace output and debug. It can not be overridden by the ''Web.config''.
+  * (Acceptable) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''Web.config'' set ''customErrors'' mode to On:<code xml>
+<system.web>
+  <customErrors defaultRedirect="GenericError.html" mode="On">
+    <error statusCode="500" redirect="InternalError.html"/>
+  </customErrors>
+<system.web>
+</code>
 ===== General =====
   * Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked ''public'' - all others must be ''protected'' or ''private''.