Description
Detailed application and database errors occur when the application encounters issues related to both its functionality and interaction with the database backend. These errors expose intricate details about the application’s behavior and database structure, potentially leaking sensitive information. Unhandled exceptions in these scenarios pose significant risks, including denial of service due to memory leaks or excessive resource consumption, and they may facilitate targeted attacks against the application and its database.
Recommendation
You should properly handle all types of exceptions and display a generic error message. Below are recommendations for different programming languages:
ASP.NET
For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors element to on or RemoteOnly.
Example configuration:
<configuration>
<system.web>
<customErrors defaultRedirect="YourErrorPage.aspx"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalErrorPage.aspx"/>
</customErrors>
</system.web>
</configuration>
PHP
In PHP, you can disable errors by adding the following lines to your code:
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);
You can also disable error reporting in the php.ini file by using the following config:
display_errors = off
Java
In Java, you can set a default exception handler using the Thread.setDefaultUncaughtExceptionHandler method to capture all unchecked and runtime errors.