how to secure elmah.axd if I am not using ASP.NET Membership

Question

I am using Elmah as error logging system in asp.net web form project. But in elmah any one can read error log by pasting /elmah.axd in the url

And I can not check authorization because I am not using ASP.NET Membership.

Answer 1

Can you lock it down with IP security (IIS7 +)?

<location path="elmah.axd">
    <system.web>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
      <!--
        See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for 
        more information on using ASP.NET authorization securing ELMAH.
-->
    </system.web>
    <system.webServer>
      <security>
        <ipSecurity allowUnlisted="false" >
          <add ipAddress="127.0.0.1" allowed="true"/>
        </ipSecurity>
      </security>
      <handlers>
        <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
  </location>

Answer 2

I've found that the easiest option is to change the elmah.axd bits in the web.config to something else that no one will guess. Eg myerrors.axd (obviously choose something more obscure).

Then only you know what the page name is to view the errors....