Hide resizer.debug.ashx from your website.
Many of us is using the popular http://imageresizing.net library for manipulate or resizing images on our website. But with that plugin you will also get the resizer.debug.ashx. This little thingy is actually showing a lot of information about your website to the world.
The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config.
Example of information exposed from one partner website:
Environment information:
Running Microsoft-IIS/8.5 on Microsoft Windows NT 6.3.9600.0 and CLR 4.0.30319.42000
Trust level: Unrestricted
OS bitness: AMD64
Executing assembly: c:\windows\system32\inetsrv\w3wp.exe
IntegratedPipeline: True
Loaded assemblies:
mscorlib Assembly: 4.0.0.0 File: 4.6.1055.0 Info: 4.6.1055.0
System.Web Assembly: 4.0.0.0 File: 4.6.1069.1 Info: 4.6.1069.1
System Assembly: 4.0.0.0 File: 4.6.1055.0 Info: 4.6.1055.0
System.Core Assembly: 4.0.0.0 File: 4.6.1055.0 Info: 4.6.1055.0
System.Web.ApplicationServices Assembly: 4.0.0.0 File: 4.6.1069.1 Info: 4.6.1069.1
System.Configuration Assembly: 4.0.0.0 File: 4.6.1055.0 Info: 4.6.1055.0
System.Xml Assembly: 4.0.0.0 File: 4.6.1064.2 Info: 4.6.1064.2
System.Runtime.Caching Assembly: 4.0.0.0 File: 4.6.1055.0 Info: 4.6.1055.0
Microsoft.Build.Utilities.v4.0 Assembly: 4.0.0.0 File: 4.0.30319.33440 Info: 4.0.30319.33440
Microsoft.JScript Assembly: 10.0.0.0 File: 14.0.1055.0 Info: 14.0.1055.0I guess many of us does not care but I think it is a good idea to hide that information and we forget to set the right customErrors. Another way of removing information is to use a rewrite rule in your project like the one below instead of removing the plugin or rely on customerrors section.
<rule name="ImageResizer"
patternSyntax="Wildcard"
stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}"
pattern="/*.ashx" />
</conditions>
<action type="CustomResponse"
statusCode="404"
statusReason="File or directory not found."
statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
Nice catch. Is it so, that you are disabling *any* Http handler by adding pattern "/*.ashx"?
In this case I believe so ;) But it is more of an exampel but it will work in this case. If you have other handlers you will need to have another rewrite condition.
It's only available for localhost (by default at least).
Hmm not sure what you mean with localhost!? I have tried this on a couple of websites using imageresizer and I get this information. :)
Digging more into this stuff:
1) You can disable this handler not by addign rewrite rule (and potentially disabling *any* handler your site might have) - but instead, adding element to your element.
2) this handler is enabled because most probably is set to "Off". Double check your web.config file.
Thanks for all comment and yes I mentioned that in the post but could have been in more detail perhaps :)
"The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config."