This project is read-only.

Protect Information in Log Files

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Protect the information in your log files as it may give important insight into the internal workings of your application.

The following tips can help you to prevent the content of a log file from being exposed unintentionally:
  • Ensure that the log files are protected by Access Control Lists (ACL) both in Web-host and self-host scenarios.
  • Choose a file extension that cannot be easily served using a Web request. For example, the .xml file extension is not a safe choice. You can check the Internet Information Services (IIS) administration guide to see a list of extensions that can be served.
  • Specify an absolute path for the log file location, which should be outside of the Web host vroot public directory to prevent it from being accessed by an external party using a Web browser.

By default, when using message logging, keys and personally identifiable information (PII) username and password and application-specific headers, such as, query string; and body information, such as, a credit card number, are not logged in traces and logged messages.

Additional Resources

Last edited Jun 12, 2008 at 8:48 PM by prashantbansode, version 1


No comments yet.