Don't publish your error messages!
While browsing the website of a certain ‘big name brand’ website this morning I came across this:
Ironically the key thing to consider here is written in plain text just below the heading: “The following information is meant for the website developer for debugging purposes.”. For internal error messages like these – that even include a stack trace from the application, to end up being public facing is a pretty big deal. Apart from being an extremely poor experience for the end user - it is a serious security risk.
The error message and accompanying stack trace from the application unnecessarily exposes lots of internal information about the server and the website running on it to the outside world. This kind of information can easily help form the building blocks of a security breach for someone who knows what to look for.
Some advice for developers:
- Debug mode should always be turned off before deployment to your live production environment. For ASP.NET developers like myself this means Don’t run production ASP.NET Applications with debug=”true” enabled.
- Any stack traces or internal errors produced by your application should always be hidden away from end users and logged/audited internally only. For ASP.NET consider using a framework such as ELMAH for error logging.
- It’s often overlooked, but when the worst does happen and an error is encountered - try to show your end users something which will actually be a useful explanation for them, rather than something they’ll just find confusing. For ASP.NET this means using custom errors.