In the Arizona .NET User Group (http://www.AZDNUG.com) that I run we were talking about tracing and all the awesome features and abilities it has and we ran into a problem.

You may know that if tracing is enabled and is not specifically flagged as LocalOnly="True" then you can access Trace.axd from anywhere. This can be very dangerous if your are Trace.Write(ing) things like

• Configuration/Connection Strings (which is a terrible idea)
• SQL Strings
• Variable Name/Value Pairs
• Whatever

So we figured out a way to secure the Trace.axd file. It's pretty simple actually. The ASP.NET Worker Process is in charge of rendering the Trace.axd file so that means we can secure the file through the web.config file.

Add the following additions and/or modifications to your web.config file.

1:     <location path="trace.axd">

2:       <system.web>

3:         <authorization>

4:           <allow users="ScottCate" />

5:           <deny users="*" />

6:         </authorization>

7:       </system.web>

8:     </location>

and then modify your Trace Statement

1:     <trace enabled="True" requestLimit="10" pageOutput="False"

2:            traceMode="SortByTime" localOnly="False" />

Because your web.config turns on the tracing, the Trace.axd file is activated and then because your location security only allow certain users, you've now secured your trace.axd file

Happy Coding.
scottc@myKBPro.com