I followed the answer to this question Securing Elmah in ASP.NET website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone can guess the RSS URL and subscribe to a feed of the error log?
Asked
Active
Viewed 1,381 times
9
-
Have you solved this yet? If not, please post the URL Path to the file you want to secure (you don't have to give the complete public URL - I just need the relative path) and we'll go from there. It should be relatively easy to secure... – Richard May 06 '10 at 08:37
1 Answers
8
I secure mine in the web.config with a role:
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="SUPER_DUPER_ADMIN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
rick schott
- 21,012
- 5
- 52
- 81
-
what's your opinion about http://geeks.ms/lruiz/2014/07/21/asp-net-revisa-la-configuracin-de-elmah-en-produccin ? security issues ? – PreguntonCojoneroCabrón Jun 25 '16 at 10:12