ASP.NET Custom Errors vs. Compilation debug="false" and security
NickName:harrije Ask DateTime:2010-07-07T06:39:16

ASP.NET Custom Errors vs. Compilation debug="false" and security

I keep reading that an ASP.NET based web site should have custom errors enabled in the web.config because exceptions will show a stack trace.

I may have a faulty memory (currently don't have access to an ASP.NET website under development), but I thought as long as Compilation debug="false" in the web.config file, then the stack trace will not be displayed.

Is my understanding correct about the debug flag and display of the stack trace? If so, then even if custom errors are not enabled, then won't the only message displayed to remote users for an exception be a the non-descriptive message:

"The page cannot be displayed because an internal server error has occurred."

If so then wouldn't it be OK, from a security perspective, to not display a custom error page for the exception?

Copyright Notice:Content Author:「harrije」,Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/3190740/asp-net-custom-errors-vs-compilation-debug-false-and-security

Answers
Guffa 2010-07-06T22:58:29

No, a stack trace will still be shown even if the debug flag is off, but it will not have line numbers for each call in the stack.\n\nThe non-descriptive message is what the browser usually shows instead of the actual error message from the server, unless you change the configuration. Anyone wanting to expose information by causing error messages would know how to do this.\n\nDisplaying the stack trace isn't a security risk in itself, but it does expose some information that could potentially make it easier to hack the site. A hacker might for example get a clue as to what's done to sanitase the input and find a way around it.",

Products recommended by Amazon
More >>>
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
 HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
 AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
 Timberland Men's 6-Inch Premium Waterproof Boot
Timberland Men's 6-Inch Premium Waterproof Boot
More about “ASP.NET Custom Errors vs. Compilation debug="false" and security” related questions
ASP.NET Custom Errors vs. Compilation debug="false" and security

I keep reading that an ASP.NET based web site should have custom errors enabled in the web.config because exceptions will show a stack trace. I may have a faulty memory (currently don't have acces...

Show Detail
IIS custom errors not showing custom error page

I have custom error pages setup on an ASP.NET website. There is one error that is not showing a custom error page, and just showing the usual yellow ASP.NET error page. If custom errors are turned...

Show Detail
system.web.compilation.debug vs. system.codedom.compilers.compiler.compilerOptions /define:Debug=True

When I deploy my ASP.NET web app to production, I use a config transform to remove debug="true" from <compilation>. However, just today I noticed another section in the web.config that looks...

Show Detail
ASP.Net cannot render the page when compilation debug is false

I have an ASP.Net project framework 4.5.2. When I set the compilation debug="true" in web.config, the page is working fine. When I set the debug="false", the page cannot be rend...

Show Detail
Asp.Net MVC 4 compilation debug

What's the difference between: <compilation debug="true" /> (the default VS 2013 web.config in debug mode) <compilation debug="false" /> <compilation /> (the default VS 20

Show Detail
Keep Getting Compilation Errors on ASP.net Website

I have a client website where I recently started getting compilation errors: CS0029: Cannot implicitly convert type 'AspNet.StarterKits.Classifieds.Web.CategorySelectionChangedEventHandler [c:\

Show Detail
JavaScript errors when debug = true is missing from web.config

I have an ASP.Net MVC application with Entity Framework. Website is hosted on IIS. When I open website in browser and following line is written in web.config then I start getting all sorts of JavaS...

Show Detail
Handling JSP Compilation Errors

I want to handle Compilation error for a particular JSP. Here is the scenario: User deploys an ear into IBM Websphere and then manually sets the classpath for some third-party JARs. The application

Show Detail
How to publish Asp.Net WebService with debug information?

Starting with asp.net 2.0 the debug=true in the compilation section of the web.config file is deciding if the website/webservice will be compiled with debug information or not. But the compilation ...

Show Detail
Compilation errors when updating a referenced .net 4.5.2 project in asp.net mvc core app

I currently have a regular 4.5.2 project, which has a class (let's say MyClass with a method) public static void Do(string name, List<Operation> operations) { //do some s...

Show Detail