SSW Foursquare

Do you use Glimpse?

Last updated by Brady Stroud [SSW] 7 months ago.See history

Glimpse allow you to easily perform diagnostics on your MVC application at runtime. As an ASP.NET developer (including ASP.NET MVC), you should use it all the time.

Glimpse lets you find useful information like:

  • Routing information
  • Profiling
  • Request information
  • Parameters passed into actions
  • Model inspector

The new version of Glimpse now also gives you a Heads Up Display (HUD) showing you important information all the time. While developing, it's a good idea to keep Glimpse open so you can see any issues as soon they come up.

GlimpseHeadsUpDisplay
Figure: The new Glimpse Heads Up Display

For more information on what the HUD provides, see Damian Brady's blog post.

Glimpse is available on NuGet, so it’s a simple matter to get it up and running on your application. You can find out more from their website.

glimpse
Figure: Glimpse in action - We can see which routes were chosen for this page, and the parameters used by the controller

Securing Glimpse for production use

Glimpse is very powerful but there are some considerations to be addressed before using it on Production.

  • 1. Security: Enabling Glimpse can reveal many details about your server – including full database connection details. Glimpse also publishes a full list of all the actions your MVC site can perform so you should thoroughly test the security on all restricted actions before you consider enabling Glimpse.
  • 2. Performance: Running Glimpse involves sending debug data with every request. This can impact site performance

Even with these considerations, Glimpse can provide some unique insights into production server performance so it’s worth spending the time to correctly configure Glimpse for production use.

Glimpse on Production Level 1: Developers Only

Install Glimpse on production so that only internal developers can enable it.This is achieved by:

  • Limiting access to an ip address range.
<glimpse enabled="true">
  <ipAddresses>
  <add address="127.0.0.1" />
  <add addressRange="192.168.1.1/24" />
  <add address="::1" />
</ipAddresses>
</glimpse>

Figure: Glimpse is now limited to localhost and the 192.168.1.x network

  • Using role-based authentication.
    If your site has role-based authentication, you can secure Glimpse usage by editing web.config to control access to the Glimpse.axd location.
<location path="glimpse.axd">
  <system.web>
         <authorization>
              <allow roles="Developers" />
              <deny users="\*" />
         </authorization>
  </system.web>
</location>

Figure: Glimpse is restricted to the Developers group

Glimpse on Production Level 2: Public by invitation only

If an end-user reports a problem on your website it can be useful to temporarily enable Glimpse for that user. Glimpse also has remote features allowing developers to see the user’s Glimpse data.

  • Create a new authentication role such as "PublicGlimpseUsers"
  • Edit web.config to control access to Glimpse.axd
<location path="glimpse.axd">
  <system.web>
         <authorization>
              <allow roles="Developers, PublicGlimpseUsers" />
              <deny users="\*" />
         </authorization>
  </system.web>
</location>

Figure: Glimpse.axd is now restricted to Developers and PublicGlimpseUsers

  • Disable the “config” section of Glimpse so that site connection strings are not published.
<pluginBlacklist>
     <add plugin="Glimpse.Core.Plugin.Config" />
</pluginBlacklist>

Figure: How to disable the Config tab

Eric Phan
We open source.Loving SSW Rules? Star us on GitHub. Star
Stand by... we're migrating this site to TinaCMS