Getting your ASP.NET application production-ready

I've been working for the last couple of months with an ASP.NET web application that is soon put into production. Since this is something I've done many times already, I wanted to write a quick blog post listing those things that you can easily miss in a hurry, but give you a better quality experience right from the start. The below list is by no means complete and isn't meant to be so; feel free to send me your own thoughts.

Here goes (not in any particular order):

• Make sure you have custom error pages set up in web.config, and that you have debugging disabled. Also, have a separate error page for 404 errors (page not found) so that you can track invalid links inside your application (and hacking attempts).
• Make sure you handle exceptions properly. It's much better to have a nice error message instead of the default ASP.NET "Yellow Page of Death".
• Do log your application exceptions somewhere. Usually, I use a simple database table for this, and write handling logic inside the Global.asax file's exception handling. But, you should also have more specific exception logging inside the non-trivial parts of your application.
• When speaking of logging, take into account the situation that you cannot access the database. Where should you log such events? In times of trouble, how can you access these logs? Do you have remote access?
• If you use the Session object to transfer data (typical for ASP.NET Web Pages applications), make sure you handle the situation where the user has disabled cookies. Make a "cookie check" page, and inform the user.
• Stress-test your application to handle load gracefully. There are plenty of load-testing tools, but you could also build your own simple testing tools pretty easily. Oh, do test early, and not a week before you go into production.
• Make sure you have security in place. I usually do this with Forms authentication through web.config, but it's better to have a secondary check as well in your application logic. Remember role-based checks, too, so that you can differentiate a regular user from an admin user. Also make sure all other bindings have been secured as well, such as JSON-returning API functions.
• Input validation. Make sure you utilize what's available in ASP.NET, for instance, automatic input validation, validator controls, and so on. Make sure you validate required fields, input formats (numbers and email addresses and the like) and illegal characters. Let the client-side validation do some of the work, but don't rely on it – you must have validation also on the server side.
• Test your routes (as in ASP.NET routing). During development time you might have added routes that don’t work anymore as you approach production-readiness.

Hope this helps!