Geek Speak: Can I secure Application Level Tracing?


One of my co-workers( Glen Gordon)  found a good article,  @ http://scottcate.mykb.com/Article_D5C6F.aspx

Bottom line: secure the trace.axd file with an entry in web.config. J

<location path=”trace.axd”>
        <system.web>
            <authorization>
                <allow users=”admin” />
                <deny users=”*” />
            </authorization>
        </system.web>
  </location>


Comments (2)

  1. Dan says:

    I don’t think this totally secures the trace page since it can be requested from any sub-folder in the web application, not just from the root. So while http://www/myapp/trace.axd might be secured, http://www/myapp/images/trace.axd won’t be.

    Does this work on your system?

    Dan

  2. I did some investigating. You are correct this doesn’t work for the sub folders, but you can add a web.config with just that code to prevent access to the trace.axd.