Are there any security issues leaving the PDB debug files on the live servers?

Question

Are there any security issues keeping the .NET PDB files on the real server?

I know that throwing exceptions might take a bit longer , but who throws exceptions duri

Answer 1

Hmm - I'd lean on the side of security caution on this. I think you should have PDBs, but not on production servers. Besides, you should have Debug turned off on any live system. Debug is nasty, and you just don't want it when you don't need it.

From Scott Guthrie:

1. The compilation of ASP.NET pages takes longer (since some batch optimizations are disabled)
2. Code can execute slower (since some additional debug paths are enabled)
3. Much more memory is used within the application at runtime
4. Scripts and images downloaded from the WebResources.axd handler are not cached

Set deployment retail=true in your machine.config:

This overrides debug, error and trace settings, which will prevent any error disclosure outside of the computer itself.

So now that you have debug turned off, no error or trace on, why would you deploy PDB's to the production server? Store them somewhere else, perhaps even your development server. Your code promotion script from Dev to Production can specifically exclude the PDBs, but archive them so that they're available if you ever need to do debugging of production.