how to secure elmah.axd if I am not using ASP.NET Membership
Question
I am using Elmah as error logging system in asp.net web form project. But in elmah any one can read error log by pasting /elmah.axd in the url
And I can not check authorization because I am not using ASP.NET Membership.
2 answers
solution1
1 ACCPTED 2013-10-25 12:58:26
Can you lock it down with IP security (IIS7 +)?
<location path="elmah.axd">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<!--
See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for
more information on using ASP.NET authorization securing ELMAH.
-->
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" >
<add ipAddress="127.0.0.1" allowed="true"/>
</ipSecurity>
</security>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
solution2
0 2013-11-07 14:27:00
I've found that the easiest option is to change the elmah.axd bits in the web.config to something else that no one will guess. Eg myerrors.axd (obviously choose something more obscure).
Then only you know what the page name is to view the errors....
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.