Make sure you do not return full exception details to the caller. If you use an ASP.NET host, make sure ASP.NET is configured so that generic error messages are returned to the client, as shown below.
<configuration> <system.runtime.remoting> <!-- Valid values for mode attribute are on - callers receive default error messages remoteOnly - clients on the same computer as the remote component receive detailed exception information. Remote calls receive a default error message off - callers receive detailed exception information --> <customErrors mode="on"/> </system.runtime.remoting> </configuration>
Use mode="on" or mode="remoteOnly" . Do not use mode="off" on production servers.
You could implement a custom channel sink to perform client-side and/or server-side exception logging. You can log exception details in the SyncProcessMessage , ProcessMessage , or SyncProcessMessage methods if an exception occurs. The IMessage and Exception parameters provide exception details.