|
|
SecuringErrorLogPages
How to securely the error log pages from unauthorized users
Securing Error Log Pages
You can secure ELMAH's display or feeds in two ways:
- Enabling or disabling remote access
- Granting or denying access via ASP.NET authorization
Both of these are discussed in the sub-sections that follow.
Enabling or Disabling Remote Access
ELMAH provides a configuration section and setting to enable or disable remote access to the error log display and feeds. When disabled (the default), only local access to the error log display and feeds is allowed. The snippet below shows how to enable remote access:
<elmah>
<security allowRemoteAccess="1" />
</elmah> To enable remote access, the value of the allowRemoteAccess attribute can be 1, yes, true or on. Otherwise it is disabled. In any event, local access is always available.
Note: Make sure you have declared the expected configuration sections in order to apply the above configuration. See Declaring configuration sections for more.
Granting or Denying Access via ASP.NET Authorization
Besides the integrated security setting offered by ELMAH, ASP.NET provides its own authorization mechanism. For example, suppose ELMAH's error log display handler is registered for the path elmah.axd. Do deny access to this path to anonymous users, add the following to your configuration:
<location path="elmah.axd">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location> For more information, see also:
Sign in to add a comment