Elmah on Production Server

Question

I have started using Elmah for this project and I find it very useful, however I have a question.

If you install it on the production server, wouldn't it be a hacking risk? I mean the thought behind not showing the Yellow Screen of Death is also not to give information to hackers on your site.

Isn't this information also shown with elmah? How would you go around this? Logging errors in the database?

Thanks for your opinions

Ok found out this solution which works http://stackoverflow.com/questions/6778881/how-can-i-restrict-remote-access-to-elmah — JMon, Feb 26 '13 at 11:41
elmah.mvc includes configuration items so that you can require the page to need a logged in user who is also a member of a specific group. In our case we require users to be logged in and part of the "Admin" group. — Jack Hughes, Feb 28 '13 at 13:28

score 1 · Accepted Answer · answered Feb 27 '13 at 11:04

1

You have to secure your elmah page with login / password (because it contains session cookie, form parameters ... ).

I did like this : create a folder on your website root named "log" change its security setting for allowing only domain admin.

then in you web.config change your httphandler from "elmah.axd" to "log/elmah.axd" so when you'll try to access elmh it'll ask for your credentials.

answered Feb 27 '13 at 11:04

remi bourgarel

9,231
4
40
73

I just added the security settings in the Web.Config and it works great – JMon Feb 27 '13 at 14:34

Elmah on Production Server

1 Answers1