How do I prevent ASP.NET trace and debug flags from being left enabled inadvertently in a production environment?

Article
01/27/2009

In the Maching.config file, there is a "deployment" element that you can add and set that will help in this area. Once set, this element will tell the ASP.NET process ignore several security and performance related settings that may have been left enabled inadvertently in the web.config and deployed in a production environment. Adding this element on all of your production servers results in the following:

The compiler "debug" flag will be set to "false", ignoring all web.config files
The trace “enabled” flag will be set to "false", ignoring all web.config files
The customErrors "mode" flag will be set to "On", ignoring all web.config files
The “ScriptMode” flag of the AJAX ScriptManager and ScriptReference controls will render release versions of the client scripts to the browser while ignoring all control level settings

File: Machine.config

configuration>
<system.web>
<deployment retail="true" />
</system.web>
</configuration>

For more information on the deployment element:
https://msdn.microsoft.com/en-us/library/ms228298(VS.80).aspx

For more information on the ScriptMode property:
https://msdn.microsoft.com/en-us/library/bb344940.aspx

For more information on how and why Microsoft.com uses the deployment element across the enterprise:
https://technet.microsoft.com/en-us/magazine/cc160896.aspx

How do I prevent ASP.NET trace and debug flags from being left enabled inadvertently in a production environment?

Additional resources