What grading would you give a Dev that uses .xml file instead of .config for a Web Site?

Today I looked at some code and saw (from an alleged experienced developer) WCF binding puts in a .xml file in the root of a web application instead of web.config. When I just starting to ramp up on C#, I did similar things until I learnt how to define and create new sections in .config files (see  http://www.codeproject.com/KB/cs/CustomConfigurationSectio.aspx if you are missing this skill ).

 

In this case, there was no need to create new configuration sections – it’s there automatically, Furthermore, http://msdn.microsoft.com/en-us/library/cc949012.aspx walks you through how to do it – so the standards are there.

 

Anyone who is security aware, knows that .xml file in the root are easily fished for and retrieved by hackers. While it is possible to protect them by changing IIS settings, that is, IMHO, rarely a robust solution and subject to breaks (and thus security exposure). WCF bindings, especially to an isolated system are prize material for hackers and attacks.

 

So on a A-F scale, where would you wait such a developer? I have my own opinion, but I tend to hang out with “do-it-right junkies” and not the usual industry devs.

Comments

Popular posts from this blog

Simple WP7 Mango App for Background Tasks, Toast, and Tiles: Code Explanation

Yet once more into the breech (of altered programming logic)

Error : /ScriptResource.axd : Invalid viewstate.