ASP.NET CustomErrors Is Disabled
Description
ASP.NET applications with CustomErrors disabled expose detailed error messages, stack traces, and framework version information to remote users. When an error occurs, the application returns verbose diagnostic information that reveals internal application structure, file paths, database connection details, and .NET Framework versions. This configuration is intended for development environments but should never be enabled in production systems.
Remediation
Enable custom error pages for remote users by modifying the web.config file. Set the customErrors mode to either On (always show custom errors) or RemoteOnly (show detailed errors only to localhost).
Add or update the following configuration in your web.config file within the <system.web> section:
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/Error.aspx">
<error statusCode="404" redirect="~/NotFound.aspx" />
<error statusCode="500" redirect="~/ServerError.aspx" />
</customErrors>
</system.web>
</configuration>Create user-friendly error pages that do not expose technical details. Log detailed error information server-side for debugging purposes instead of displaying it to users. After making changes, restart the application pool to ensure the configuration takes effect.