You should use try/catch/finally structured exception handling in your code to avoid unhandled exceptions. Do not reveal internal system or application details, such as stack traces, SQL statement fragments, and table or database names. Ensure that this type of information is not allowed to propagate to the end user or beyond your current trust boundary. This is important because any malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks. If an exception is thrown, make sure your application fails securely, denies access, and is not left in an insecure state. Do not log sensitive or private data, such as passwords, that could be compromised. When you log or report exceptions, if user input is included in exception messages, validate it or sanitize it. For example, if you return an HTML error message, you should encode the output to avoid possible script injection.