Geek Answers Handbook

Suppress HTTP 500 responses

I had some feedback from some people with threats and vulnerabilities related to websites returning HTTP 500 response codes. In fact, the advice is to take all possible measures so that the server does not select 500 (that is, an extensive check input form) which is ok.

However, the council also suggested that attempts to compromise security using tools such as pasting a tag into a random query string that causes ASP.NET to validate or manipulate widgets should not return HTTP 500. Obviously, the behavior of the inline structure is to interpret the request and possibly throw custom errors to the page, but even that will return a 500 response code.

So, I am after some thoughts on how to approach this. Is there a way to configure the application at the .NET or IIS level to return HTTP 200 when 500 is raised? Or will this become a global.asax coding exercise in one of the application events? Are there any other implications for consideration?

By the way, the justification on the security side is that applications that return HTTP 500 can be considered as “low-hanging fruits” by bots that randomly scan for vulnerabilities and cause further malicious activity. Im’s attempts are not personally convinced that changing the response codes provides any real security gains, but I am happy to help the advice of professionals.

+2
source share
3 answers

The answer to your question : global.asax- this is the right place, in particular, the event handler Application_Error. You should do something like

Response.StatusCode = 200
Response.StatusDescription = "OK"

there is.

PS : Do not do this. :-) For me, this sounds like another approach based on a security standard compared to a violation of the standards. I really don’t think that the (possibly marginal) increase in security is worth breaking the correct behavior of HTTP (think about indexing Google error pages, etc.).

+4
source

Why? Sending 500 code without any other information does not give the attacker much information.

If you do not throw a stack trace, state dumps, etc., return to the client, then you are fine. And I very much doubt that you want to do this.

, "500" ( ) 500 - .

200, , - , , , . , "500 " Google, 200.

+4

config -

<customErrors  mode="On" defaultRedirect="~/DefaultErrorPage.htm" >
  <error statusCode="500" redirect="~/CustomError.aspx"/>
</customErrors>

...!

Make sure there are NO errors on your user error page. Usually you use the html page, not the aspx page, but if you want to change the response headers, you may need to use the aspx page. Do nothing else but change the headers (i.e., do not output any data from the database or run any logic), and an error on your user error page will result in a "maximum redirects" error.

+1
source

More articles:


All Articles