.NET

A 61-post collection

Raygun.io and ignoring specific Web API exception types

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have Raygun.io ignore specific exception types raised by Web API. Firstly, Web API support came a couple of months ago which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? (HIBP), partly to enable nice light async requests once pages have already loaded and partly as a dedicated API that others can consume at will. Setting up Raygun.io was dead simple and it looks like this in the...

10 things I learned about rapidly scaling websites with Azure

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on: This is Have I been pwned? (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately. This is what happened last week when traffic literally increased 60-fold overnight. September 10 – 2,105 sessions. September 11 – 124,036 sessions. Interesting stuff happens when scale changes that dramatically, that quickly so I thought I’d share a few things I learned here, both things I was already doing...

Solving the tyranny of HTTP 403 responses to directory browsing in ASP.NET

You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of a folder called “scripts” which is a common directory. Well of course there’s a bloody folder called “scripts”, all my HTML source which you can see references it!...

Training the next generation of developer’s to be security conscious at SSW’s FireBootCamp

Heard of SSW’s FireBootCamp before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a whole two months of full-assault level real world coder training. The idea of the FireBootCamp is that it’s intense training for would-be software devs on all the good bits of Microsoft...

Revealing the security secrets within ASP.NET with Pluralsight

Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the request you can make in order to mitigate the risk of a denial of service attack? And, for that matter,...