Monday 27 July 2009

Issue #6 Error Messages

You should never see the yellow screen of doom on a production web server. Full stop end of story! It gives away too much information about your code where it is stored and allows anyone that can read the stack trace, ideas on how to penetrate your defenses.

Your custom error tag in the web.config should always be set to either On or RemoteOnly at the very least. Setting it to RemoteOnly even in development will allow you to debug the application but when it is deployed it will not show the detailed error message screen to any non-local users.

You should also make sure that you turn off Debug in the web.config as well as Trace as these also provide more information.

Below is a screen shot from the Irish Examiner web site that shows the yellow error screen and you can see how much additional information we can get from it such as the location of the files and that it is written in VB.NET running on the 2.0 Framework.

IrishExaminer

No comments: