search

mccalltd / AttributeRouting

Define your routes using attributes on actions in ASP.NET MVC and Web API.
http://mccalltd.github.io/AttributeRouting/
MIT License
416 stars 89 forks source link

routes.axd is exposed in production #267

Open duncansmart opened 11 years ago

duncansmart commented 11 years ago

Something to be aware of, as there's no authentication by default on routes.axd anyone can have a snoop a your route configuration, which may expose stuff you'd rather not people know.

My workaround is to add the following to the Web.Release.config transform

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web>
    <httpHandlers>
      <add xdt:Transform="Remove" xdt:Locator="Match(path)" path="routes.axd" />
    </httpHandlers>
  </system.web>
  <system.webServer>
    <handlers>
      <add xdt:Transform="Remove" xdt:Locator="Match(path)" path="routes.axd" />
    </handlers>
  </system.webServer>
</configuration>

Should this be added to the Nuget package? Alternatively, should LogRoutesHandler do a check on context.Request.IsLocal and return a 404 if not?

mccalltd commented 11 years ago

I just don't include the handler in the release config generally. If you'd like to submit a PR I'd merge it in.