You shouldn’t publish applications compiled with debug=”true” to production. This setting is useful during development, since when you do this the compiler generates extra debugging information to assist in debugging (i.e. debug symbols). As part of this extra stuff, the compiler generates .pdb files that contain references to the source files and line numbers. Some people might not realize that these are generated on the machine where the compile takes place, so these references will be to the files on your local machine.
Showing this information in a production application is definitely a bad idea for security reasons. But, this is not the only issue. I’m including a link to an article that explains why it's a bad idea to leave this on when publishing to production. It’s probably ok to leave this on when publishing to your dev/test servers, but the article also discusses how you can compile with debug=”false” and still get the debugging symbols to assist with debugging. That is probably the better option for dev/test.
Here is an excerpt from the article:
One of the things you want to avoid when deploying an ASP.NET application into production is to accidentally (or deliberately) leave the
Doing so causes a number of non-optimal things to happen including:
The full article is here:
Don’t run production ASP.NET Applications with debug=”true” enabled
No comments:
Post a Comment