Hi,
I'm trying to disable trace/debug information from being shown but this doesn't seem to be working despite making the following changes to the web.config file:-
- Set umbracoDebugMode to false
- In the system.web/trace section set enabled to false so that nobody has access to your traces
And also the following changes have been made to default.aspx:-
Change
<add key="umbracoDebugMode" value="true" />
To false, and also change
<compilation defaultLanguage="c#" debug="true" batch="false" targetFramework="4.0">
To false.
Reason:
Having trace enabled allows an attacker to see a bunch of server variables including ports, IP addresses, and even an absolute directory structure of where your website sites on your server.
Both the website and IIS have been restarted after making these changes! Does anyone have any idea why it would still be possible to view trace information?
Many thanks
Sources: http://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment/setting-trace-in-defaultaspx-and-webconfig
http://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment
This is a companion discussion topic for the original entry at https://our.umbraco.com/forum/42636-unable-to-disable-tracedebug