Do Not Issue Verbose Error Information Remotely
By default, ASP.NET the configuration setting <customErrors> is set to remoteOnly and gives verbose information locally and nothing remotely. Developers commonly change this on staging servers to facilitate off-the-box debugging and forget to restore the default before deployment. This should be set to either remoteOnly (default) or On. Off is inappropriate for production servers.
<configuration> <system.web> <customErrors> defaultRedirect="error.htm" mode="RemoteOnly" <error statusCode="404" redirect="404.htm"/> </customErrors> </system.web> </configuration>