Is self-host secure enough for Internet/production apps?

Mar 12, 2015 at 7:23 PM
AS the title says, is self-host secure enough for Internet/production apps? Why or why not?

Seems to me that they would be since HttpListener is also used by IIS, but I cannot find any info on the Net that confirms or denies.

Any information would be appreciated.

Mar 13, 2015 at 1:21 PM
It depends how you define "enough".

As the security PM for ASP.NET my version of enough is annoyingly high, as the devs will probably tell you. IIS gives you more protections than HttpListener does, including filtering, app restart, unicode path validation, some DOS protections and logging.

If you care about any of those things then you'd prefer IIS over self host, but I can't make that decision for you, it's all about how much risk you're willing to take, or how much you want to implement yourself.

Mar 13, 2015 at 4:02 PM
Thanks for the info.

As you know, installing IIS is not an option on Windows 7/8. I have a simple photo app that web-enables the myPictures folder and my greatest concern would be that a malicious user could somehow take over the user's computer. There is no file upload capability on the site. Do you have any other insights for me in lieu of this additional context?

Thanks again,