CRV2 FrameworkSpecIssuesASPNetConfigs

=Secure Configuration Values= Sensitive Information saved in config files should be encrypted. Encryption keys stored in the machineKey element for example or connectionstrings with username and passwords to login to database.

=Lock ASP.NET Configuration settings= You can lock configuration settings in ASP.NET configuration files (Web.config files) by adding an allowOverride attribute to a location element

=Configure directories using Location Settings= Through the element you can establish settings for specific folders and files. The Path attribute is used to specify the file or subdirectory. This is done in the Web.config file example:             

=Configure exceptions for Error Code handling = Showing and handling the correct error code when a user sends a bad request or invalid parameters is an important configuration subject. Logging these errors are also an excellent help when analyzing potential attacks to the application.

It is possible to configure these errors in the code or in the Web.Config file

The HttpException method Describes an exception that occurred during the processing of HTTP requests.For example:

if (string.IsNullOrEmpty(Request["id"])) throw new HttpException(400, "Bad request");

or in the Web.config file:

     