web.config 中的 ASP.NET MVC3 发布设置
我发布了一个 ASP.NET MVC3 站点。它运行得很好。然而,回顾我的 web.config 文件,我不确定我使用的一些值对于发布和开发是否正确。这些配置位于
部分。
...
<system.web>
<httpRuntime requestValidationMode="2.0" executionTimeout="200" maxRequestLength="20000000"/>
<compilation debug="true" targetFramework="4.0">
...
我在这里阅读( http://msdn.microsoft.com/en-us/library /e1f13641.aspx )在编译中使用debug=true将忽略200的executionTimeout,并使用默认值110。似乎是这样的,该网站的设置允许一次上传大量文件。然而,只有110秒,能上传的东西并不多。
我的问题是:发布实时站点进行调试的正确设置是“假”吗?另外,考虑到 asp.net 现在是版本 4(很快就会是 4.5), requestValidationMode="2.0" 仍然可以安全使用吗?
I have published an ASP.NET MVC3 site. It runs great. However, looking back at my web.config file, I was not sure if some of the values I used are correct for publishing versus for developing. These configurations are in the <system.web>
section.
...
<system.web>
<httpRuntime requestValidationMode="2.0" executionTimeout="200" maxRequestLength="20000000"/>
<compilation debug="true" targetFramework="4.0">
...
I read here ( http://msdn.microsoft.com/en-us/library/e1f13641.aspx ) that using debug=true in compilation will disregard the executionTimeout of 200, and use a default value of 110. This seems to be the case, and the site is setup to allow very large amounts of files to be uploaded all at once. However, with only 110 seconds, not much can be uploaded.
My question is this: Is the correct setting to publish a live site for debug "false"? In addition, is requestValidationMode="2.0" still safe to use considering asp.net is now on version 4 (soon to be 4.5)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Validationmode 2.0 不是框架版本,可以保持这样。
把 debug=false 就可以了。
Validationmode 2.0 is not the framework version and can stay like that.
Put debug=false and you are fine.
requestValidationMode... 据我所知,如果您想允许请求数据中的特殊字符(<、>、% 等)传递 ASP,则必须将其设置为 2.0 .NET 的请求验证根本没有。 requestValidationMode="2.0" 表示“仅在页面(即 .aspx)上强制验证,而不是在每个请求上强制验证(如 4.0 中引入的那样)。这允许 ASP.NET MVC 接管验证 -因此还可以让您针对特定请求关闭它
是否安全?如果您已确保应用了
[ValidateInput(false)]
的任何操作或控制器,或者使用了该模型,那么安全吗?[AllowHtml]
已得到适当保护,免受攻击。Imran Baloch 有完整的解释 此处。是的,出于多种原因,包括性能和内存使用情况,调试应该为“false”。另外,debug="true" 更改了静态文件的默认缓存策略,永远不会在浏览器中缓存文件,这意味着对脚本、CSS 等的大量冗余请求。
至于图像上传,除了给出的建议之外,请检查事件查看者认为,这并不是真正的应用程序池由于某种原因而回收,而不是执行超时。
requestValidationMode... As far as I'm aware, this has to be set to 2.0 if you want to allow special characters (<, >, % etc.) in request data to pass ASP.NET's request validation at all. requestValidationMode="2.0" means "only enforce validation on pages (i.e. .aspx), rather than on every request (as was introduced in 4.0). That allows ASP.NET MVC to take over the validation - and hence also lets you turn it off for specific requests.
Is it safe? It is, if you've made sure that any actions or controllers that have
[ValidateInput(false)]
applied or models with[AllowHtml]
have been properly secured against attacks. Imran Baloch has a full explanation here.And yes, debug should be "false" for several reasons, including performance and memory usage. Also, debug="true" changes the default cache policy for static files to never cache the files in the browser, meaning tons of redundant requests for scripts, CSS etc.
As for the image upload, other than the suggestions given, check in Event Viewer that it's not really the application pool recycling for one reason or other, rather than an execution timeout.