What’s ASP.NET shared hosting trust level?

You need to check many aspects before choosing a .Net hosting provider, those aspects should include .Net MVC framework, SQL Server, disk space, monthly bandwidth, hosting prices, but there’s one thing you may ignore really – “IIS Security Trust Level”.


If you’re not familiar with what’s asp.net shared hosting trust level, here I’d like to bring you a short introduction. The trust level is real important that could affect with your site secure and performance, and a full trust level means higher risk for hackers sneak into server to make destroy. Most of small .Net hosts only can give medium trust level on their servers. If your applications need to be run a full trust mode, then you’ve to look for a web host which can give full permission to you.


<system.web>
<securityPolicy>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
</system.web>

You can see there are 4 trust levels for web hosts to pre-set by default – Minimal trust, Low trust, Medium trust and High / Full trust. High trust means higher risk for hackers to sneak into server, most of Windows hosting companies doesn’t allow their customers to run full trust level by default.
- Full Trust allows the users to do everything of application pool on one Windows web server. Some of applications cannot work properly under a medium trust web server, full trust means more flexible and you’re also able to change to medium trust once your application don’t need full trust.
- High Trust, websites are limited to call unmanaged code, e.g. Win32 APIs, COM interop.
- Medium Trust level websites are limited to access the file system and not so flexible as full trust level web server.
- Low Trust & Minimal Trust level are 2 options to restrict the users heavily, it won’t allow users to connect to server actively. At present, there’s no Windows hosts offering such asp.net shared hosting plan yet.


With more and more people and companies developing websites by Microsoft .NET technology, ASP.NET shared web hosting comes to be the major solution provided by many web hosting companies. Most of people choose an ASP.NET web host considering about .NET framework version, ASP.NET MVC support, SQL Server database, disk space or bandwidth but they usually ignore the most important feature “IIS security level”. That determines whether the ASP.NET websites can run successfully on the shared web host. In result to, if you developing an ASP.NET website that works well in the local development environment and attempt to run it in the ASP.NET shared web host, you may get the following exception.


System.Security.SecurityException: That assembly does not allow partially trusted callers.


This is caused by the security level of the ASP.NET shared web host that your application is forced to run with the limited permission, by locking down the access to server file system, preventing the background threads, or interacting with COM interfaces, etc.
Full Trust and Medium Trust are two widely used levels in ASP.NET shared web hosting. The full trust provides best flexibility but it has potential security issues to the shared server, especially when the web hosting provider doesn't have rich experience on setting up Windows permission and IIS. Compared to Full Trust, you have to review the website carefully before you go with a web host only supports Medium Trust Level. You can refer to the following checkpoints for the review.
-The website shall not call unmanaged APIs.

-The website shall not access to file system, system registry, event logs and anything else related to the system.
-The website shall not generate code for execution dynamically using Code DOM.

-The website shall not use XslTransform to transform something from XML using XSLT.

-The website has to be signed with a Strong Name.

Check with the web page from Microsoft about which namespaces and classes are not supported in Medium Trust environment.
And here is quick way to confirm the compatibility of websites to Medium Trust Level, in the local environment.

1. Add partially trusted callers attribute into AssemblyInfo.cs file of the website project, as following code snippet,
[assembly: AllowPartiallyTrustedCallers]

2.Add the following line into the web.config,
<trust level="Medium" />

Medium Trust or Full Trust level? UP to Your choice:
If your website can be working fine under medium trust level, I suggest you don’t need a full trust asp.net hosting, most of popular .Net applications should be working fine under a medium trust level server, only when your application has to be run under a full trust level enviroment, then you can find an ASP.NET full trust hosting company.