I build a Blazor Web App (server side rendering) with C# and .NET 8. The app is hosted on an Azure App Service. If an error occurs and I open the browser dev tools, I can see a detailed error message. This is great!
But I don´t understand, why I can see the local path of the *.razor.cs
file?
See screenshot:
I am confused why the Azure App Service knows where my local Visual Studio project is located. The app is published via Visual Studio directly and built in "Release" mode.
From a developer perspective, it´s great because we all love detailed error messages. But this is maybe to much information for an attacker or something...
Any thoughts?
As other user said you are getting this file path in the error from the pdb file. The below link it is explained in detail.
Azure Error Referencing Local Path
To avoid this information to displayed you could follow below ways:
1)You can delete the pdb files
2)You can set the environment variable to production and manage error handling as shown here:
On the azure app service set environment variable to ASPNETCORE_ENVIRONMENT and value Production
In the program.cs file use this code:
if (app.Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error"); // Redirects to a generic error page
app.UseHsts();
}
This will show detailed error information during development. In production, this redirects to a generic error page (Error.cshtml
), preventing detailed exception details (like file paths) from being shown.
For more detail you could refer document about how to handle error in blazor and how to secure blazor app:
https://learn.microsoft.com/en-us/aspnet/core/blazor/fundamentals/handle-errors?view=aspnetcore-8.0