ELMAH Security Validator

Check your website for unsecure ELMAH logs

Keeping your ELMAH log open to the public can have fatal consequences. Don't believe us? Check out Troy Hunts ASP.NET session hijacking with Google and ELMAH.

Input the root URL of your website in the textfield below and click Validate to start analyzing your website:

Danger, Will Robinson!

One or more public ELMAH logs found on

To turn off remote access, add the following configuration to your <elmah> element in web.config:

<security allowremoteaccess="false" / >


No public ELMAH logs found on .