Handling error messages securely
Displaying information to users in error messages is an important issue which you should pay attention to. Revealing some pieces of information (for example stack trace or debug data) can pose a security risk to your site, while not providing enough information would not help the users at all. To ensure that the error messages in your system are handled properly, follow these procedures:
Design error messages in a way that does not allow potential attackers to gain exploitable knowledge about the system. See Designing secure error messages.
Create your own error pages, which will be displayed instead of the default ones. It is important to present unified error messages throughout the system, for all types of errors. See:
- Handling 404 errors in MVC applications
- Creating custom error handling pages (Portal Engine development)
Before going live with your website, disable debugging and tracing information in error messages. See Web.config security settings.