Friday, May 5, 2017

How to configure ASP.NET Custom Errors Correctly

If you are deploying your site you should make sure you have custom errors on so you don't leak information that a hacker could use to attack your site.

Enable Custom Errors

Setting customErrors to On will keep exception details from user, but shows the YSOD which is a 500. Hackers look for pages with 500 error codes as potential targets.

<configuration>
      <system.web>
            <customErrors mode="On">


Add a user friendly error page 

The downside of this is that pattern of the url still indicates that there was an internal server error. Again, highlights a potential target for hackers

<configuration>
      <system.web>
            <customErrors mode="On" defaultRedirect="Error.aspx">


Get rid of the error page pattern in url 

The response is returning a 200 which looks like a successful page. There is no 302 redirect to detect the error either. The only way to tell there is an error is to read the message on the page and can't be determined by a pattern or status code.
<configuration>
      <system.web>
            <customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="Rewrite">

No comments: