I followed the answer to this question Securing Elmah in ASP.NET website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone can guess the RSS URL and subscribe to a feed of the error log?

No correct solution


I secure mine in the web.config with a role:

<location path="elmah.axd">
            <allow roles="SUPER_DUPER_ADMIN"/> 
            <deny users="*"/> 
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow