J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan
Applies to
Answer:
To prevent detailed errors from returning to the client set the mode attribute of <customErrors> element to On, so that all callers receive filtered exception information. Also you can set pageOutput="false" on the <trace> element to disable trace output. Alternatively you can set the retail=”true” on the <deployment> element which disable configuration settings such as trace output, custom errors, and debug capabilities. It overrides all application level settings hence when using this setting the trace output, custom errors and debug settings need not be configured. This is important because any malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks. Here is how you configure the application for preventing from detailed errors from returning to the client.
- Set the mode attribute of <customErrors> element to On and set the defaultRedirect to a default error page displaying friendly error message page which, for example, might include support contact details.
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
- If you have any known errors before hand you can set the specific error pages for those errors as follows.
<customErrors mode="On" defaultRedirect="YourErrorPage.htm">
<error statusCode="404" redirect="customerror404.htm"/>
<error statusCode="405" redirect="customerror405.htm"/>
</customErrors>
- Set pageOutput="false" on the <trace> element to disable trace output. To prevent trace being accidentally being re-enabled, consider locking this for all applications on a server by applying the following configuration in the machine-level Web.config file. Enclose the <trace> element in a <location> element and set allowOverride to false.
<location path="" allowOverride="false">
<system.web>
<trace pageOutput="false" ... />
</system.web>
</location>
- Alternatively Set the retail=true on the <deployment> element as follows
<deployment retail="true"/>
Attributes
Author: J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan
Category: Exception Management
filePath: ..\Libraries\patterns & practices Library\faq\d610fc62-14dc-44f2-874b-550baace1030.xml
Pri: 2
Rule Type: Implementation
Source: patterns & practices Library
Status: Release
Technology: ASP.NET 2.0
Title: Question - How do I prevent detailed errors from returning to the client
Topic: Security
Type: Question and Answer
ID: d610fc62-14dc-44f2-874b-550baace1030