2

I keep reading that an ASP.NET based web site should have custom errors enabled in the web.config because exceptions will show a stack trace.

I may have a faulty memory (currently don't have access to an ASP.NET website under development), but I thought as long as Compilation debug="false" in the web.config file, then the stack trace will not be displayed.

Is my understanding correct about the debug flag and display of the stack trace? If so, then even if custom errors are not enabled, then won't the only message displayed to remote users for an exception be a the non-descriptive message:

"The page cannot be displayed because an internal server error has occurred."

If so then wouldn't it be OK, from a security perspective, to not display a custom error page for the exception?

Improve this question
2
  • do you mean "custom" errors not "customer" errors??? Commented Jul 6, 2010 at 23:46
  • yes, I corrected the typo. Hope I fixed all instances. Commented Jul 6, 2010 at 23:51

2 Answers 2

Reset to default
3

No, a stack trace will still be shown even if the debug flag is off, but it will not have line numbers for each call in the stack.

The non-descriptive message is what the browser usually shows instead of the actual error message from the server, unless you change the configuration. Anyone wanting to expose information by causing error messages would know how to do this.

Displaying the stack trace isn't a security risk in itself, but it does expose some information that could potentially make it easier to hack the site. A hacker might for example get a clue as to what's done to sanitase the input and find a way around it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Then using one global custom error page, would be an improvement in terms of best practices, verses no custom error pages, correct?
@harrije: Yes, it keeps the error message from leaking information, and it gives a better experience for users who happen to get an error message.
1

Custom error messages should almost always be prefered over the default error thrown. It gracefully sends your user to a location where they can keep browsing your site without having to go back and try again.

Turning DEBUGGING off in your web.Config is VERY important and goes beyond just not showing the line numbers and stack trace... it also tells the compiler to build in release mode which optimizes performance dramatically. As soon as your app goes to production, all debugging should be disabled.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.