Menu
Are there any security issues keeping the .NET PDB files on the real server?
I know that throwing exceptions might take a bit longer , but who throws exceptions during normal execution anyway? :-)
But from a security perspective? any issues?
532
PDBs do not contain source code; they only contain a link to the file that was used at compile time. That way, people could figure out the local file structure of the build server, which might be considered as a security risk.
Answers. PDBs are required for debugging and store debugging information and they are created when you compile the application. Unless you plan to debug in production there is no need and you should aim to deploy in release mode.
PDB files are symbol files for Windows-based executable's. Without these files, it's not possible to get a readable C-level stack trace from the OpenEdge executable's on Windows platforms.
If your system isn't secure with the PDBs, it's probably not secure without them. Obviously, it depends how valuable the better error reports are to you. Personally, I value that a lot, so tend to deploy the PDBs.
98
I think a fair argument is also that not leaving the PDBs on the live servers is a risk. In the case where production is crashing and the problems can't be reproduced on dev or UAT, it's much more time consuming (and perhaps impossible) to diagnose where the error is occurring.
At the very least, the PDBs that match the deployed DLLs should be in a ZIP file on the production server somewhere. They should be easily located by people other than yourself in case you aren't around to assist.
Also see PDB Files: What Every Developer Must Know by John Robbins.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
