Runtime Policies - Glimpse/Glimpse GitHub Wiki

Glimpse determines if it should execute for a given request by executing the registered "Runtime Policies" and asking each in turn.

As mentioned, to make sure Glimpse doesn’t show possibly sensitive diagnostic data, it leverages Runtime Policies. This authorizes or prevents the Glimpse Runtime from returning the aggregated data or even from running in the first place – all of this is determined per request.

An example of this is the Glimpse cookie. This is what drives the “Turn Glimpse On” button in the glimpse.axd and is checked by the ControlCookiePolicy. That said, it is not used to prevent access to aggregated data but rather to inform the Glimpse Runtime whether or not it should collect information during the execution of a request.

All is not lost however. Glimpse is secure by default because it registers, out of the box, the LocalPolicy. The LocalPolicy is a runtime policy that checks whether or not a request has been made from the local machine and if this is not the case, then Glimpse will not aggregate data and certainly not return (previously) aggregated data. This is also the policy that must be ignored in the web.config if you would like to get Glimpse diagnostics from a remote server.

Now if you remove the LocalPolicy, there is no security policy and every request can display all the Glimpse data. You could disable Glimpse completely in the web.config by setting the defaultRuntimePolicy="Off" in the glimpse config section, but then no one would be able to gather Glimpse data.

So you need to replace the LocalPolicy with your own custom security policy. For example, to allow only users in the Administration role to see Glimpse data, remove the comments from the GlimpseSecurityPolicy.cs file. (This is available if you have installed the Glimpse.AspNet NuGet package.) See Creating your own custom runtime policies

Are you interested in learning more about creating your own Runtime Policies and controlling when Glimpse runs for in your system (i.e. only if "Administrator" is logged on or some other arbitrary logic)? It really is quite easy.

• Creating your own custom runtime policies

These policies are part of the core Glimpse package, and so are always part of a Glimpse installation. They are not specific to any web development framework.

• Ajax
• Content Type
• Status Code
• Uri
• Glimpse Resource

• Glimpse - Install-Package Glimpse

The Glimpse.AspNet package adds these policy to Glimpse:

• Local - This policy means that Glimpse won't run remotely.

• Glimpse AspNet - Install-Package Glimpse.AspNet