Error Handling and Logging
Always fail securely.
• Never output error messages containing sensitive data that could assist an attacker.
Error messages displayed to the user should not include the following:
◦ Stack traces
◦ Server system information
▪ Session ID
▪ Host name
▪ Port numbers
▪ File system paths
◦ Unauthorized application object information
• Use a generic standard error message format and pages.
• Detailed application errors and exceptions are logged only for debugging purposes.
• Password values are never logged. Custom code should never be managing passwords.
• Security logs are protected from unauthorized access and modification.
• Use standard logging and Security Auditing APIs.
• Exceptions are handled appropriately using structured exception handlers or are passed up the call stack.