I followed the answer to this question Securing Elmah in ASP.NET website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone can guess the RSS URL and subscribe to a开发者_如何转开发 feed of the error log?
I secure mine in the web.config with a role:
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="SUPER_DUPER_ADMIN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
精彩评论