Friday, April 9, 2010

What grading would you give a Dev that uses .xml file instead of .config for a Web Site?

Today I looked at some code and saw (from an alleged experienced developer) WCF binding puts in a .xml file in the root of a web application instead of web.config. When I just starting to ramp up on C#, I did similar things until I learnt how to define and create new sections in .config files (see if you are missing this skill ).


In this case, there was no need to create new configuration sections – it’s there automatically, Furthermore, walks you through how to do it – so the standards are there.


Anyone who is security aware, knows that .xml file in the root are easily fished for and retrieved by hackers. While it is possible to protect them by changing IIS settings, that is, IMHO, rarely a robust solution and subject to breaks (and thus security exposure). WCF bindings, especially to an isolated system are prize material for hackers and attacks.


So on a A-F scale, where would you wait such a developer? I have my own opinion, but I tend to hang out with “do-it-right junkies” and not the usual industry devs.

No comments:

Post a Comment