aspnet2securityfaq0071

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs

Question: How do I prevent detailed errors from returning to the client?

Answer:

To prevent detailed errors from returning to the client set the mode attribute of <customErrors> element to On, so that all callers receive filtered exception information. Also you can set pageOutput="false" on the <trace> element to disable trace output.
Alternatively you can set the retail=”true” on the <deployment> element which disable configuration settings such as trace output, custom errors, and debug capabilities. It overrides all application level settings hence when using this setting the trace output, custom errors and debug settings need not be configured.
This is important because any malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks.
Here is how you configure the application for preventing from detailed errors from returning to the client.
* Set the mode attribute of <customErrors> element to On and set the defaultRedirect to a default error page displaying friendly error message page which, for example, might include support contact details. 
		 <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
* If you have any known errors before hand you can set the specific error pages for those errors as follows.
		 <customErrors mode="On" defaultRedirect="YourErrorPage.htm">
		   <error statusCode="404" redirect="customerror404.htm"/>
		   <error statusCode="405" redirect="customerror405.htm"/>
		 </customErrors>
* Set pageOutput="false" on the <trace> element to disable trace output. To prevent trace being accidentally being re-enabled, consider locking this for all applications on a server by applying the following configuration in the machine-level Web.config file. Enclose the <trace> element in a <location> element and set allowOverride to false. 
		 <location path="" allowOverride="false">
		  <system.web>
		    <trace pageOutput="false" ... />
		  </system.web>
		 </location>
* Alternatively Set the retail=true on the <deployment> element as follows
		 <deployment retail="true"/>

Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities