Error Messages Asp.net
resources Windows Server 2012 resources Programs MSDN subscriptions Overview Benefits Administrators Students Microsoft Imagine Microsoft Student Partners ISV Startups TechRewards Events Community Magazine Forums Blogs Channel 9 Documentation APIs and reference Dev centers Retired content Samples We’re sorry. The content you requested has been removed. You’ll be auto redirected in 1 second. MSDN Library MSDN Library MSDN Library MSDN Library Design Tools Development Tools and Languages Mobile and Embedded Development .NET Development Office development Online Services Open Specifications patterns & practices Servers and Enterprise Development Speech Technologies Web Development Windows Desktop App Development TOC Collapse the table of content Expand the table of content This documentation is archived and is not being maintained. This documentation is archived and is not being maintained. How to: Display Safe Error Messages Other Versions Visual Studio 2010 .NET Framework 4 Visual Studio 2008 .NET Framework 3.0 Visual Studio 2005 When your application displays error messages, it should not give away information that a malicious user might find helpful in attacking your system. For example, if your application unsuccessfully tries to log in to a database, it should not display an error message that includes the user name it is using. There are a number of ways to control error messages, including the following: Configure the application not to show verbose error messages to remote users. (Remote users are those who request pages while not working on the Web server computer.) You can optionally redirect errors to an application page. Include error handling whenever practical and construct your own error messages. In your error handler, you can test to see whether the user is local and react accordingly. Create a global error handler at the page or application level that catches all unhandled exceptions and routes them to a generic error page. That way, even if you did not anticipate a problem, at least users will not see an exception page. To configure the application to turn off errors for remote users In the Web.config file for your application, make the following changes to the customErrors element: Set the mode attribute to RemoteOnly (case-sensitive). This configures the application to show detailed errors only to local users (that is, to you, the developer). Optionally include a defaultRedirect attribute that points to an application error page. Optionally include
ASP.NET web-site, and would like the ability to conditionally show/hide runtime error messages depending on who the user visiting the site is.For a normal user visiting the site you want to be able to display a friendly error message like this when a runtime error occurs: But when someone within the “developers” security role of your application remotely accesses the site you want to instead show a more detailed exception stack trace error message about the problem without having to change any configuration data: The below post describes how to use ASP.NET’s role-based https://msdn.microsoft.com/en-us/library/994a1482.aspx security architecture in conjunction with the Global.asax Application_Error event handlerto enable this. You can also download a sample I’ve built that shows how to implement this here.Some Background Discussion on Error Handling and ASP.NET Custom Error Pages:ASP.NET and .NET support a rich error-handling architecture that provides a flexible way to catch/handle errors at multiple levels within an application. Specifically, you can catch and handle https://weblogs.asp.net/scottgu/Tip_2F00_Trick_3A00_-Show-Detailed-Error-Messages-to-Developers a runtime exception with a class, within a page, or on the global application level using the Application_Error event handler within the Global.asax class. If a runtime exception isn’t handled/cancelled by one of these mechanisms, then ASP.NET’s Custom Error Page feature will kick-in, and an error page will be sent back to the browser accessing the application.ASP.NET’s Custom Error Page feature can be used to configure a “friendly error page” to be displayed to end-users in place of the standard “server error occurred” message sent back by ASP.NET. For example, the below web.config file section will cause remote users visiting the site to be redirected to a “friendlyErrorPage.htm” file anytime a runtime error occurs (note: HTTP 500 status code responses indicate runtime errors on the server):
here for a quick overview of the site Help Center Detailed answers http://stackoverflow.com/questions/10732644/best-practice-to-return-errors-in-asp-net-web-api to any questions you might have Meta Discuss the workings https://www.acunetix.com/vulnerabilities/web/asp-net-error-message and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack error messages Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Best practice to return errors in ASP.NET Web API up vote 165 down vote favorite 88 I have concerns on the way that we error messages asp.net returns errors to client. Do we return error immediately by throwing HttpResponseException when we get an error: public void Post(Customer customer) { if (string.IsNullOrEmpty(customer.Name)) { throw new HttpResponseException("Customer Name cannot be empty", HttpStatusCode.BadRequest) } if (customer.Accounts.Count == 0) { throw new HttpResponseException("Customer does not have any account", HttpStatusCode.BadRequest) } } Or we accumulate all errors then send back to client: public void Post(Customer customer) { List>(errors, HttpStatusCode.BadRequest); throw new HttpResponseException(responseMessage); } This is just a sample code, it does not matter either validation errors or server error, I just would like to know the best practice, the pros and cons of each approach. c# rest asp.net-web-api share|improve this question edited Aug 11 at 1:28 abatishchev 57k56214353 asked May 24
Rate Lowest False Positives Reporting and Remediation WordPress Checks Network Security Advanced Features Web Vulnerability Scanner Network Security Scanner Free Scan Pricing Web Security Blog News Partners Contact Support About Follow Us Facebook Twitter LinkedIn ASP.NET error message Web Vulnerabilities Medium Severity ASP.NET error message Description By requesting a specially crafted URL is possible to generate an ASP.NET error message. The message contains the complete stack trace and Microsoft .NET Framework Version. Remediation Adjust web.config to enable custom errors for remote clients. Set customErrors mode to Off or RemoteOnly. customErrors is part of system.web Element. RemoteOnly specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value.