Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
→Error Handling
m (→Uploads) |
|||
| Line 339: | Line 339: | ||
== Error Handling == | == Error Handling == | ||
'''Attacks of Concern''': Sensitive Information Disclosure, System Information Disclosure, Aiding exploitation of other vulnerabilities | |||
=== User Facing Error Messages=== | |||
Error messages displayed to the user should not contain system, diagnostic or debug information. | |||
=== Debug Mode=== | |||
Debug mode is supported by many applications and frameworks and is acceptable for Mozilla applications. However, debug mode should only be enabled in stage. | |||
=== Formatting Error Messages=== | |||
Error messages are often logged to text files or files viewed within a web browser. | |||
* text based log files: Ensure any newline characters (%0A%0C) are appropriately handled to prevent log forging | |||
* web based log files: Ensure any logged html characters are appropriately encoded to prevent XSS when viewing logs | |||
=== Recommended Error Handling Design === | |||
* Log necessary error data to a system log file | |||
* Display a generic error message to the user | |||
* If necessary provide an error code to the user which maps to the error data in the logfile. A user reporting an error can provide this code to help diagnose the issue | |||
=Further Reading= | =Further Reading= | ||