18.5. The Deployment Checklist
Instead of ending this chapter with general practical tips about deployment, this section gives you a practical list of things to check when you're ready to put your web site in production.
Make sure you don't have debugging enabled in the web.config file. This causes unnecessary overhead and decreases performance of your web site as code executes slower and important files cannot be cached by the browser. To ensure debugging is disabled, open the web.config file you are using for your production environment, and verify that debug is set to false:
<compilation debug="false">
Make sure you have turned on custom errors by setting the mode attribute of the customErrors element in web.config to either On or RemoteOnly. In the first case, everyone sees your custom error pages while in the second case, only users local to the web server can see the error details. Never leave the mode set to Off, as doing so can lead to information disclosure. The following snippet shows a safe configuration of the customErrors element:
<customErrors mode="On" defaultRedirect="~/Errors/Error500.aspx"> Optional <error /> elements go here </customErrors>
Disable tracing, or at least limit the trace information to users coming from the local machine. The following <trace> element from web.config blocks tracing for users coming from machines other than the web server itself. Additionally, it stops the trace information from appearing in the page:
<trace mostRecent="true" enabled="true" ...