== Error Handling ==
'''Attacks of Concern''': Sensitive Information Disclosure, System Information Disclosure, Aiding exploitation of other vulnerabilities
=== User Facing Error Messages===
Error messages displayed to the user should not contain system, diagnostic or debug information.
=== Debug Mode===
Debug mode is supported by many applications and frameworks and is acceptable for Mozilla applications. However, debug mode should only be enabled in stage.
=== Formatting Error Messages===
Error messages are often logged to text files or files viewed within a web browser.
* text based log files: Ensure any newline characters (%0A%0C) are appropriately handled to prevent log forging
* web based log files: Ensure any logged html characters are appropriately encoded to prevent XSS when viewing logs
=== Recommended Error Handling Design ===
* Log necessary error data to a system log file
* Display a generic error message to the user
* If necessary provide an error code to the user which maps to the error data in the logfile. A user reporting an error can provide this code to help diagnose the issue
=Further Reading=