While hooking an HttpHandler up in web.config I thought about all the default HttpModules that are hooked up in machine.config. I did some research and found that the following modules are loaded into the ASP.NET pipeline by default:
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
<add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
<add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
<add name="Profile" type="System.Web.Profile.ProfileModule" />
If you don't use all of them, then why not remove them from the pipeline? This is a great question that I immediately had to find the answer to, but after a while I gave up finding anything on the web. Nobody has written about it. What I really wanted to know was how this will affect the performance of the application. The logical conclusion will be that it would boost the performance to have fewer modules in the pipeline, but I want to know how much. It should also reduce the attack surface.
The next question that needs an answer is which of the modules are safe to remove. I found that the UrlAuthorization and FileAuthorization modules act as a safeguard for security reasons, so they must stay. The three authentication modules can be removed if you don’t use them or at least the ones you don’t use. The rest can safely be removed if you don’t need them.
You can remove the modules you don’t need in the web.config like so:
<remove name="PassportAuthentication" />
<remove name="Profile" />
<remove name="AnonymousIdentification" />
If you know about the performance impact involved, please let me know.
UPDATE: Scott Guthrie says
This morning I checked my mail and saw one from Joe Kaiser. He had asked Scott Guthrie about this and here is his reply:
In general you can get some very small performance wins using this approach - although I'd probably recommend not doing it. The reason is that some features of ASP.NET (forms auth, roles, caching, etc) will of course stop working once you remove the modules they depend on. Trying to figure out why this has happened can often be confusing.
So there you have it. Small performance gains but you might be confused later on.