Vulnerability Fixation
Custom Errors At Webroot

Custom Error Pages in IIS / ASP.NET

Using a custom error page provides a professional user experience and prevents revealing sensitive technical details. By default, local users see detailed error pages (Exception Details YSOD), while remote users see a Runtime Error page.

Custom error pages improve usability and can be configured to display friendly messages for specific HTTP status codes. They should be paired with proper error logging and developer notifications to diagnose production issues.

Error Logging and Notification

• Production errors should always be logged (e.g., into a database).
• Developers should be notified when an error occurs since users rarely report issues.
• Custom error pages cannot access exception details, so logging must be done elsewhere in the request pipeline.

HTTP Errors in IIS

• The httpErrors element in web.config allows custom responses for specific HTTP error codes.
• You can configure static pages, dynamic content, or redirection based on the status code.
• Attributes such as existingResponse, responseMode, and errorMode control how errors are displayed to users.
• Recommended setting: DetailedLocalOnly to show detailed errors only on the local server.

By default, IIS uses built-in error pages, but you can replace them with customized pages that match your website's design.