Geeks With Blogs
Developers Friendly

Any application we built, will not be completely error free. Application will throw an exception at one or other point. Its a good practice to handle such exception in a way that it wont expose any critical information that would invite hackers.

When an error occurred in application if its not handled properly, it will show up many critical information like Physical path, Framework version number, internal implementation(code) and other information. (Refer below image)












This can be avoided by enabling <customErrors> in Web.config, which will avoid exposing such critical information to public.

Step 1:

Enable “customErrors”, add <customErrors> section under <system.web> section and set its mode to “ON”.


Default mode of <customErrors> will be “OFF” – This will expose error details to user on web page


Mode “ON” – This will hide information getting exposed to user on web page.


Mode “Remote Only” - This is required when you are working on development machine, when running locally it throws exception details on web page which helps  in debugging, if request comes from remote machine it treats such request as customError mode ON. i.e., hinds critical information.


Step 2:

For better user experience, we can redirect user to customError page, for that set “defaultRedirect” property in <customErrors> tag, which redirects to specified page when exception is thrown.

<customErrors mode="On" defaultRedirect="~/Error.aspx" ></customErrors>


However, when redirection happens it changes URL too, which somewhat looks like (Example URL):  http://sampleapplication/Error?aspxerrorpath=/Contact, where “/Contact” specifies that error occurred in Contact page and then navigated to “Error.aspx” page, which is not necessary to be displayed for user. This can be avoided with a configuration under <customErrors> tag, need to set “redirectMode” to “ResponseRewrite”. Then <customErrors> tag looks like below,


<customErrors mode="On" defaultRedirect="~/Error.aspx" redirectMode="ResponseRewrite" ></customErrors>


With this setting URL will not be changed, looks like (Example URL) http://sampleapplication/Contact 


With all these settings, we can avoid exposing any internal code or any such information to user and application is prepared to handle exceptions thrown at runtime.


Hope this helps.


Posted on Thursday, February 5, 2015 6:34 AM .NET , ASP.NET | Back to top

Comments on this post: ASP.NET Security – Custom Error Handling

# re: ASP.NET Security – Custom Error Handling
Requesting Gravatar...
I found your blog to be very informative and interesting. On similar lines you can also check out which is also a very good blog on this very topic. Request you to continue writing on varied topics as we would like to read.
Left by Rajesh Shirsagar on Jul 06, 2017 3:32 PM

Your comment:
 (will show your gravatar)

Copyright © Manjunath K | Powered by: