Hide resizer.debug.ashx from your website.

Many of us is using the popular http://imageresizing.net library for manipulate or resizing images on our website. But with that plugin you will also get the resizer.debug.ashx. This little thingy is actually showing a lot of information about your website to the world.

The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config.

Example of information exposed from one partner website:

Environment information:

Running Microsoft-IIS/8.5 on Microsoft Windows NT 6.3.9600.0 and CLR 4.0.30319.42000
Trust level: Unrestricted
OS bitness: AMD64
Executing assembly: c:\windows\system32\inetsrv\w3wp.exe
IntegratedPipeline: True

Loaded assemblies:

mscorlib                                 Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web                               Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System                                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Core                              Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web.ApplicationServices           Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System.Configuration                     Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Xml                               Assembly: 4.0.0.0         File: 4.6.1064.2      Info: 4.6.1064.2
System.Runtime.Caching                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
Microsoft.Build.Utilities.v4.0           Assembly: 4.0.0.0         File: 4.0.30319.33440 Info: 4.0.30319.33440
Microsoft.JScript                        Assembly: 10.0.0.0        File: 14.0.1055.0     Info: 14.0.1055.0

I guess many of us does not care but I think it is a good idea to hide that information and we forget to set the right customErrors. Another way of removing information is to use a rewrite rule in your project like the one below instead of removing the plugin or rely on customerrors section.

       <rule name="ImageResizer"
      patternSyntax="Wildcard"
      stopProcessing="true">
          <match url="*" />
          <conditions>
            <add input="{URL}"
                 pattern="/*.ashx" />

          </conditions>
          <action type="CustomResponse"
                  statusCode="404"
                  statusReason="File or directory not found."
                  statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
        </rule>