Handling error messages securely
Displaying information to the users in error messages is an important issue which you should pay attention to. Revealing some pieces of information (for example stack trace or debug data) can pose a security risk to your site, while not providing enough information would not help the users at all. To ensure that the error messages in your system are handled properly, follow these procedures:
- Designing secure error messages - lean how to design error messages in a way that the potential attackers cannot gain exploitable knowledge about the system.
- Creating custom error handling pages - create your custom error pages, which will be displayed to the users instead of the default ones. This is an important step, as you need to unify the error messages throughout the system.
It is a good practice to disable displaying debugging and tracing information in the error messages before going live with your website. See Web.config file settings.