Don t Tell the Attacker Anything
Cryptic error messages are the bane of normal users and can lead to expensive support calls. However, you need to balance the advice you give to attackers. For example, if the attacker attempts to access a file, you should not return an error message such as Unable to locate stuff.txt at c:\secretstuff\docs doing so reveals a little more information about the environment to the attacker. You should return a simple error message, such as Request Failed, and log the error in the event log so that the administrator can see what s going on.