[MGNLCE-292] Provide default error page not disclosing server info Created: 09/Dec/21  Updated: 18/Dec/21

Status: Selected
Project: Community Edition
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Jan Haderka Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

Default Tomcat error page discloses error stacktrace (if any). That's great during development, but causes issues in production where it can be used by attacker of the system to gain knowledge about internals of the product and how it responds to errors. Hence the practice it frowned upon by security experts.

We should change default value in shipped web.xml so that the information is not disclosed. Devs should rely on log files for errors instead.

As of Servlet 3.0 spec we could simply set one generic page for all (while keeping more specific ones for specific errors where desirable).

<error-page>
    <location>/errorpages/generic.html</location>
</error-page>

 

Alternatively (spec 2.5) we could also try to set page for generic exception, but would need to test behavior when combined with error codes. Not sure what takes the precedence:

<error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/errorpages/exception.html</location>
</error-page>

 


Generated at Mon Feb 12 00:07:59 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.