Reputation: 11403
publishing options
Q:
I want to ask if publishing the .cs and the .aspx files on my server during web application publishing process considered as a bad practice and may cause security violation or not?
because sometimes i have to do this because the report files doesn't published or the css files doesn't work properly .
When to use each option of those:
Only files needed to run this application.
All project files.
All files in the source project folder
Upvotes: 3
Views: 193
Answers (2)
Reputation: 2562
This may be a misapplication of the principle, but I always think of the principle of least privilege. By that, I mean:
- Do my users need to see any code files (applicable under both "All project files and "All files in the source project folder"?
- Do my users need to see any files in my project folder, but not included in my project (applicable under "All files in the source project folder")?
If the answer to those questions is no, then I publish using only files needed to run this application.
I once made the mistake of publishing a website using "All files in the source project folder", because I needed to deploy a bunch of .css and .js files from a plug-in I used, and didn't know how to quickly include those files in my web project.
However, as soon as I saw all my source code show up in my production folder, I quickly switched my publish option back to "Only files needed to run this application", and deployed deleting all files in the target folder. Then, I looked around to find a way to include all files in a folder that was not in my project, and I've been happier since.
Honestly, even if my users needed to see code of some sort, I'd consider writing a quine before I'd publish copies of my .cs file on any website. People have differing opinions about Internet security, but I often think of this quote from Gene Spafford:
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
If you look around here, you'll find various questions where users are trying to safely encrypt/decrypt connection strings, store data securely in their programs (or databases), and are otherwise trying their best to keep anyone -- even their most trusted users -- from getting access they otherwise shouldn't have.
As unlikely as it might be that a malicious user would try to access the files on your server, I can tell you that it's a lot harder for a malicious user to access the files on my server, because those files don't exist on my server.
Upvotes: 3
Reputation: 2700
Ensure your IIS settings mean that .cs files are not served publicly. This should be the same with any sensitive or non-public filetypes, such as .config.
.aspx files contain your markup, so are typically fine to publish and serve publicly.
Upvotes: 2
Related Questions
- Publishing Web App Project with Visual Studio
- Restrict sitecore publishing
- How to configure Web Deploy publishing feature on IIS so developer can publish?
- Configuration of publishing an ASP.NET web site
- publishing asp.net application to the internet
- How to publish Web Applications
- Asp.net Web Application Publish
- Newbie Trying To Deploy Asp.Net Website
- Publishing to IIS - Best Practices
- project publishing to windows web server 2008