100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
.NET Framework

Deploying Web Pages Sites

Understand how to publish an ASP.NET Web Pages site to production using FTP or Web Deploy, configure web.config for release, and set correct IIS and App_Data permissions.

Web Pages FeaturesIntermediate10 min readJul 10, 2026
Analogies

Publishing Options

WebMatrix offers a built-in Publish command that uploads a site's files directly over FTP or FTPS to a hosting account, which is the fastest path for a small site but re-uploads the entire file set each time unless the host supports incremental sync. Web Deploy, invoked from WebMatrix or Visual Studio using a downloaded publish profile, instead synchronizes only changed files, can run pre- and post-deployment SQL scripts to update a remote database schema, and is the mechanism Azure App Service publish profiles use under the hood when a developer clicks Publish against an Azure Web App target.

🏏

Cricket analogy: Re-uploading an entire site via basic FTP every time is like reprinting an entire scorecard from scratch after every single run, whereas Web Deploy's incremental sync is like updating just the one number that changed.

Configuring web.config for Production

Before going live, web.config must be adjusted for production: customErrors mode="On" (or RemoteOnly) hides detailed stack traces from anonymous visitors while still logging the full exception server-side, and the compilation element's debug attribute must be set to "false" so pages compile with optimizations and never leak source-level debugging information to a client. Connection strings in the deployed web.config typically point at the production database server rather than a developer's local SQL Server Express instance, and Web.config transformations, such as Web.Release.config, automate swapping these values so a developer never has to remember to hand-edit settings before every publish.

🏏

Cricket analogy: A team keeping detailed injury reports internal to the dressing room while only announcing 'unfit to play' publicly mirrors customErrors hiding full stack traces from visitors while still logging details server-side.

App_Data and File Permissions

Sites using SQL Server Compact or a local SQL Server Express .mdf file store that database physically inside the App_Data folder, which must be included in the deployment package and, on IIS, given write permission for the application pool identity, commonly IIS_IUSRS or a specific app pool account, or every insert will fail with an access-denied error even though the site otherwise loads fine. Because App_Data is configured by default to reject direct HTTP requests, placing the database file there also protects it from being downloaded directly by a visitor who guesses its URL, unlike a database file mistakenly placed in a publicly served folder.

🏏

Cricket analogy: A team's official record book stored in a locked office that only authorized staff can write entries into, yet anyone can hear the announced score, mirrors App_Data being writable by the app pool identity but not directly downloadable over HTTP.

IIS Hosting Considerations

On IIS, the application pool's .NET CLR version must match what the site was built against, and Integrated Pipeline mode should be used unless a legacy component specifically requires Classic mode, since Integrated mode lets ASP.NET modules like forms authentication participate fully in the request pipeline alongside native IIS modules. The application pool identity, often ApplicationPoolIdentity by default, needs read access to the site's files and, as noted above, write access to App_Data if a local database or uploaded files folder is used, and mismatched or overly broad permissions are a common source of either mysterious 500 errors or unnecessarily wide-open security exposure.

🏏

Cricket analogy: Fielding the correct format team, T20 specialists for a T20 match rather than Test squad players, mirrors matching the application pool's .NET CLR version to what the site was actually built against.

xml
<configuration>
  <system.web>
    <compilation debug="false" targetFramework="4.7.2" />
    <customErrors mode="RemoteOnly" defaultRedirect="~/Error" />
  </system.web>
  <connectionStrings>
    <add name="StarterSite"
         connectionString="Data Source=prod-sql;Initial Catalog=StarterSiteDb;
                            Integrated Security=false;User Id=svc_web;Password=***"
         providerName="System.Data.SqlClient" />
  </connectionStrings>
</configuration>

Never deploy with compilation debug="true". A debug build discloses detailed stack traces and source line numbers to anyone who triggers an unhandled exception, and it also runs measurably slower because JIT optimizations are disabled.

  • WebMatrix's Publish command uploads over FTP/FTPS; Web Deploy syncs only changed files and can run SQL scripts.
  • Azure App Service publish profiles use Web Deploy under the hood.
  • compilation debug must be "false" and customErrors set to "On" or "RemoteOnly" in production.
  • Web.config transformations (e.g. Web.Release.config) automate swapping settings like connection strings per environment.
  • App_Data must be included in deployment and given write permission for the app pool identity if it holds a local database.
  • App_Data rejects direct HTTP requests by default, protecting files stored there from being downloaded.
  • The IIS application pool's CLR version and pipeline mode must match what the site was built for.

Practice what you learned

Was this page helpful?

Topics covered

#NETFramework#ClassicASPNETWebFormsWebPagesStudyNotes#MicrosoftTechnologies#DeployingWebPagesSites#Deploying#Web#Pages#Sites#WebDevelopment#StudyNotes#SkillVeris