Welcome to the Glimpse Documentation! Here we hope to introduce you to the various tutorials, concepts and APIs you might need when discovering and using Glimpse.

NOTE: Glimpse docs are currently being improved. If you'd like to help out, just edit this page or contribute to our GitHub Wiki

Runtime Policies

Glimpse determines if it should execute for a given request by executing the registered "Runtime Policies" and asking each in turn.


As mentioned, to make sure Glimpse doesn’t show possibly sensitive diagnostic data, it leverages Runtime Policies. These authorizes or prevents the Glimpse Runtime from returning the aggregated data or even from running in the first place – all of this is determined per request.

Default Security

An example of this is the Glimpse cookie. This is what drives the “Turn Glimpse On” button in the glimpse.axd and is checked by the ControlCookiePolicy. That said, it is not used to prevent access to aggregated data but rather to inform the Glimpse Runtime whether or not it should collect information during the execution of a request.

All is not lost however. Glimpse is secure by default because it registers, out of the box, the LocalPolicy. The LocalPolicy is a runtime policy that checks whether or not a request has been made from the local machine and if this is not the case, then Glimpse will not aggregate data and certainly not return (previously) aggregated data. This is also the policy that must be ignored in the web.config if you would like to get Glimpse diagnostics from a remote server.

Running Remotely

Now if you remove the LocalPolicy, then basically everything is out in the open. There is nothing protecting you from having Glimpse gathering diagnostics and returning this to the person making the request. You could disable Glimpse completely in the web.config by setting the defaultRuntimePolicy="Off" in the glimpse config section, but then there is not much for you to personally get either.

So you need to replace the LocalPolicy with your own custom security policy. This sounds harder than it is – usually only a few lines of code are involved. There might already be an example of such a policy in your project (albeit commented out) if you installed the Glimpse.AspNet NuGet package, just look for a file named GlimpseSecurityPolicy.cs.

Make your own

Are you interested in learning more about creating your own Runtime Policies and controlling when Glimpse runs for in your system (i.e. only if "Administrator" is logged on or some other arbitrary logic)? It really is quite easy.


These policies are part of the core Glimpse package, and so are always part of a Glimpse installation. They are not specific to any web development framework.



  • Glimpse - Install-Package Glimpse


The Glimpse.AspNet package adds these policy to Glimpse:


  • Local - This policy means that Glimpse won't run remotely.