Automatically setting compilation debug to false in production

by Joe Havelick 15. March 2009 12:24

When running an ASP.NET configuration in production, it is important to assure that a couple of things are in place.

First, you don't want to publish in debug compilation mode.  See the first reference below for a more detailed explanation, but long story short, you're wasting a lot of processor time and memory if you do.  The way to go about doing this is to set <compilation debug="false"> in the web.config.  Unfortunately, there is no simple way to automate this (although you can make it part of the build process, see second link below), and it becomes something that is easily overlooked in deployment.

Second, you want to preclude users from receiving the ASP.NET errors, which although very helpful, can contain sensitive information such as connection strings (possibly with passwords) or stack traces which can give hackers an edge on cracking your system.  You can preclude this using the <customErrors mode="RemoteOnly" ...> or <customErrors mode="True" ...> settings in the web.config, which should be done regardless of the fix below, because you will want to be presenting users witha  "friendly" error page.

As an administrator, you should deploy the following key into the machine.config file (located at C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG):



          <deployment retail=”true”/>



This will override the compilation debug mode to be false for all web applications on that machine, as well as preclude the ASP.NET error pages from occurring.  Of course this means you will need to build appropriate error handling into your application, but you already did that anyway, right?




Tech Tips

About Me

Joe Havelick is a reasonable facsimile of this photo.

profile for Joe on Stack Exchange, a network of free, community-driven Q&A sites