search

mayuki / Rin

Request/response Inspector middleware for ASP.NET Core
MIT License
650 stars 24 forks source link

Use in Production? #11

Open Trojaner opened 6 years ago

Trojaner commented 6 years ago

Would you recommend using this in production mode?

If you do so, are you planning to implement some kind of access control anytime soon?

mayuki commented 6 years ago

I don't recommend using Rin in a production environment for several reasons.

  1. Performance: Request capturing pays an overhead of memory and processor. The middlewares cause an application to slow down.
  2. Security: Currently, Rin doesn't have an access control feature. That may expose sensitive information.

However, I know some developers need to protect a development environment too. So, I planned to implement access control in the future.

At the moment, if you want to restrict access to Rin inspector, you can implement a workaround in the middleware pipeline.

Workaround

var options = app.ApplicationServices.GetService<RinOptions>();
app.MapWhen(
    ctx => ctx.Request.Path.StartsWithSegments(options.Inspector.MountPath) &&
           /* ctx.Request ...some conditions ... */,
    app2 =>
    {
        app2.Use((ctx, next) =>
        {
            ctx.Response.StatusCode = 403;
            ctx.Response.WriteAsync("Forbidden");
            return Task.CompletedTask;
        });
    });

app.UseRin();
...