Web.config Related Rules are not being enforced


Several Rules related to web.config settings are not being enforced.
My project file and the web.config are in the same directory, is this a problem?
Rules like the following are not being fired even when I am sure that I have the web.config set up to create a rule violation:
CA5405 - FormsAuthenticationRequireSSLShouldBeTrue
CA5408 - HTTPCookiesRequireSSLShouldBeTrue
CA5400 - DebugCompliationMustBeDisabled


AnthonyDiaz wrote Mar 28, 2011 at 3:40 PM

I'm running these rules in Visual Studio (not FxCop) and it appears that there is some kind of conflict with the IsProjectEnableAspScan function in the WebConfigurationInstrospectionRule. (I'm not an expert in Code Analysis Rules, but when I make this function always return true and make some minor changes upstream it appears to enforce the rules properly. I know that's a bit of a hack, but it got the rules working.)

wrote Feb 14, 2013 at 2:00 AM

wrote Apr 20, 2016 at 6:13 AM

murugaperumalwin wrote Apr 20, 2016 at 7:22 AM


Though my web.config has some violation, I didn’t get any FxCop error messages specific to config files.

When I am running only AspNetConfigurationSecurityRules.dll rules against my web project dll using FxCopcmd.exe (not in visual studio), I came to know that AspNetConfigurationSecurityRules.dll is not working as expected.
I am expected at least expecting one violation “Trace should be disabled” - CheckId="CA5409" in my
FxCopReport.xml. However I couldn’t see any report file.

Please share your thoughts or ideas

Here is my sample code.
Web Config :

<authentication mode="None" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<trace enabled="true"/>
<httpCookies requireSSL="true" httpOnlyCookies="false"/>
<customErrors mode="On"/>
Sample FxCop’s output in console :
Loaded AspNetConfigurationSecurityRules.dll…
Loaded WebApplication6.dll…
Initializing Introspection engine…
Analysis completed.
No Message written.
Analysis Summary :
Messages: 0

Sample Console Command:
"C:\CodeVerifier\Tools\FxCop\FxCopCmd.exe" /out:C:\CodeVerifier\FxCopReport.xml /summary /gac /file:"C:\Projects\WebApplication6\bin\WebApplication6.dll" /rule:"C:\CodeVerifier\Tools\FxCop\Rules\AspNetConfigurationSecurityRules.dll"