Exception Management | Improving Web Application Security: Threats and Countermeasures

Do not allow exception details to propagate from your Web applications back to the client. A malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks.

<customErrors>

The <customErrors> element can be used to configure custom, generic error messages that should be returned to the client in the event of an application exception condition. The error page should include a suitably generic error message, optionally with additional support details. You can also use this element to return different error pages depending on the exception condition.

Make sure that the mode attribute is set to " On " and that you have specified a default redirect page as shown below:

 <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

The defaultRedirect attribute allows you to use a custom error page for your application, which for example might include support contact details.

Note	Do not use mode="Off" because it causes detailed error pages that contain system-level information to be returned to the client.

If you want separate error pages for different types of error, use one or more <error> elements as shown below. In this example, "404 (not found)" errors are redirected to one page, "500 (internal system errors)" are directed to another page, and all other errors are directed to the page specified on the defaultRedirect attribute.

 <customErrors mode="On" defaultRedirect="YourErrorPage.htm">    <error statusCode="404" redirect="YourNotFoundPage.htm"/>    <error statusCode="500" redirect="YourInternalErrorPage.htm"/> </customErrors>