Programming Error Messages
Description
This alert requires manual confirmation
The application exposes detailed error or warning messages that reveal internal implementation details. These messages may include stack traces, file paths, database query errors, or framework-specific debugging information that should not be visible to end users. Such verbose error handling is commonly caused by development or debug modes being enabled in production environments.
Remediation
Configure the application to suppress detailed error messages in production environments and log errors securely instead:
For PHP applications:
Set the following directives in php.ini or .htaccess:
display_errors = Off log_errors = On error_log = /var/log/php_errors.log
For ASP.NET applications:
Configure customErrors in web.config:
<customErrors mode="RemoteOnly" defaultRedirect="~/Error.html"> <error statusCode="404" redirect="~/NotFound.html" /> <error statusCode="500" redirect="~/ServerError.html" /> </customErrors>
For Java applications:
Configure error pages in web.xml:
<error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.jsp</location> </error-page>
General best practices:
- Display generic error messages to users (e.g., "An error occurred. Please try again later.")
- Log detailed error information to secure server-side log files with appropriate access controls
- Implement centralized error handling and logging mechanisms
- Regularly review error logs for security issues and anomalies
- Ensure debug mode is disabled in production environments