Secure Sitecore : Why use a custom 500 error page?

Enable custom errors to restrict users from seeing sensitive information such as the paths, stack trace and .NET version information. A potential hacker can get a lot of information on your environment just by looking at the default error page.

There are several things you could do to secure your Sitecore instance, namely the Sitecore Security Hardening Guide. Along with the documented steps, there are several others you should implement to secure your instances.

error1

The good thing is that Sitecore by default sets the customErrors to RemoteOnly. This way it shows you the information when you are working locally and will display generic information when accessing the site remotely.

error2

Most of us are used to setting up a default 500 and 404 pages but I have seen in some instances that developers forget. The best thing to do is to set the default 500 page. For now I am going to set it to a physical Html file. There are different schools of thought depending on the security team you need to answer to. The ones I have had to deal with argue that if you set it to a Sitecore page /500 for instance, it might cause a recurring loop if Sitecore solution code itself is an issue. Instead if you use a standalone 500.html file, it will render always. The disadvantage is that we are unable to manage content on this file without code change.

error3
This is better but we can do better. By default the redirectMode is ResponseRedirect and it places the path in the url. To overcome that we add in the redirectMode as ResponseRewrite so that the url where the error occurred stays as is but the response will be shown from the custom error page.

error4

If you have any questions or concerns, please get in touch with me. (@akshaysura13 on twitter or on Slack).

5 comments

  • LonghornTaco 11 months ago

    Interesting… Hadn’t ever noticed that redirectMode property before.

    Good stuff!

  • Oliver 11 months ago

    @Akshay: when creating a custom 500 Error Page, did you ever encounter that in the Sitecore Backend (Content Editor, Experience Editor, Desktop UI) in Error Message-Popups the custom 500 Error Message is showing up instead of the usually default Sitecore Error message related to the faulty action?

  • akshaysuraadmin 11 months ago

    Yes this is normal behavior if the site raises a 500 error. You could troubleshoot it locally if your have the custom errors set to RemoteOnly or Off along with debug.

  • Raja 10 months ago

    But this doesn’t set the HTTP status code to 500. This article explains how:
    http://benfoster.io/blog/aspnet-mvc-custom-error-pages

  • akshaysuraadmin 10 months ago

    Thank you for your comment. This blog post is to illustrate the need for a 500 page. I do understand that it does not set the 500 status code. Please try to look at the post from a security perspective.

    Thanks

Add your comment

Your email address will not be published.