Hosting Tutorial & Guide

Caution! ASP.NET Shared Web Hosting Trust Level

updated on Oct 13, 2016
Caution! ASP.NET Shared Web Hosting Trust Level With more and more people and companies developing websites by Microsoft .NET technology, ASP.NET shared web hosting comes to be the major solution provided by many web hosting companies. Most of people choose an ASP.NET web host considering about .NET framework version, ASP.NET MVC support, SQL Server database, disk space or bandwidth but they usually ignore the most important feature “IIS security level”. That determines whether the ASP.NET websites can run successfully on the shared web host. In result to, if you developing an ASP.NET website that works well in the local development environment and attempt to run it in the ASP.NET shared web host, you may get the following exception,
System.Security.SecurityException: That assembly does not allow partially trusted callers.
This is caused by the security level of the ASP.NET shared web host that your application is forced to run with the limited permission, by locking down the access to server file system, preventing the background threads, or interacting with COM interfaces, etc.

ASP.NET Web Hosting Trust Levels

This security level is known as the Trust Level of IIS for ASP.NET websites.
ASP.NET Web Hosting Trust Level
It can be configured with the following setting:
  • Full Trust: website can do everything that the account of the application pool can do on the web server. This is the most flexible configuration for running websites on the shared web hosts. You won’t have any problems unless your website accesses the system information.
  • High Trust: websites are limited to call unmanaged code, e.g. Win32 APIs, COM interop.
  • Medium Trust: websites are limited to access the file system except the website application directory, system registry, Code DOM, and more (we will talk it later), compared to High Trust.
  • Low Trust & Minimal Trust: these two options restrict the websites seriously. Even they don’t allow websites to call the service out of process, such as database, network, etc. But we never saw an ASP.NET shared web host configured with either one of these two options.

Full Trust and Medium Trust are two widely used levels in ASP.NET shared web hosting. The full trust provides best flexibility but it has potential security issues to the shared server, especially when the web hosting provider doesn't have rich experience on setting up Windows permission and IIS. Compared to Full Trust, you have to review the website carefully before you go with a web host only supports Medium Trust Level. You can refer to the following checkpoints for the review,
  • The website shall not call unmanaged APIs.
  • The website shall not access to file system, system registry, event logs and anything else related to the system.
  • The website shall not generate code for execution dynamically using Code DOM.
  • The website shall not use XslTransform to transform something from XML using XSLT.
  • The website has to be signed with a Strong Name.
Check with the web page from Microsoft about which namespaces and classes are not supported in Medium Trust environment.

And here is quick way to confirm the compatibility of websites to Medium Trust Level, in the local environment,
1. Add partially trusted callers attribute into AssemblyInfo.cs file of the website project, as following code snippet,
[assembly: AllowPartiallyTrustedCallers]
2. Add the following line into the web.config,
<trust level="Medium" />


It's a tradeoff between these two trust level. But if you confirm that the website can run successfully with Medium Trust in your local environment, we suggest you choose an ASP.NET web host with Medium Trust only. It shall be more secure and reliable anyway. If you host the website based on 3rd party framework such as DotNetNuke, or using 3rd party component, we recommend you going with Full Trust web host. As our own experience as an example, about 2 years ago, we hosted a website referencing Spring.NET 1.0 running with a Medium Trust web hosting successfully. But after we upgraded Spring.NET to the latest 1.2, we found it cannot be compatible with Medium Trust environment. The 3rd party is the uncertainty at anytime.

Full Trust ASP.NET Web Hosting Full Trust ASP.NET Web Hosting - Host4ASP.NET
Host4ASP.NET provides the best cost effective ASP.NET web host with Full Trust level. It’s using Windows Server 2012 R2 platform, supports SQL Server 2012/2014, .NET Framework 2.0/3.5/4.0/4.5/5, ASP.NET MVC 2/3/4/5/6, and Microsoft Chart Controls, etc. Host4ASP.NET ASP.NET web hosting allows users to host one or multiple websites with one account. It's now pricing at $2.95/month only. Read more about Host4ASP.NET ASP.NET Web Hosting.

Medium Trust ASP.NET Web Hosting Medium Trust ASP.NET Web Hosting - HostGator
HostGator launches Windows web hosting in May, 2011, based on Windows Server 2012 R2, with SQL Server 2008. HostGator takes security as the most important factor in web hosting business, the web host only supports Medium Trust Level and the access to SQL Server database from Management Studio remotely needs to manual approval by their technical support via live chat or telephone. HostGator Windows web hosting is a quite affordable, pricing $4.16/month. And it only supports to host one website per hosting account. Read more about HostGator Windows web hosting.