Secure that trace.axd file

In our current series of MSDN Events, we are spending a good bit of time on ASP.NET tracing and showing the usefulness of the trace.axd file. After doing some research around the web (using MSN Search of course!) I came across some information on how to control access to the trace.axd file if you set localOnly to be false, which is sometimes needed because you might not be able to log on to the web server box itself.

Basically, the technique uses an authorization element in the web.config file to control access to the trace.axd file. A sample snippet of web.config might look like this:

  <location path="trace.axd">
        <system.web>
            <authorization>
                <allow users="superuser" />
                <deny users="*" />
            </authorization>
        </system.web>
 </location>

I use the user name "superuser" for illustration only. You could also say <allow roles=”Admins”>. Depending on if you are using Forms authentication or Windows authentication, you'd either use a user/role name that you've defined, or one that Windows defines such as "BUILTIN\Administrators" or DOMAIN\accountname"

Thanks to Scott Cate for the tip.