Secure error messages in software systems
This page is currently the subject of a deletion review. Those interested may participate in the discussion. While the discussion is in progress, this page may be edited, but do not blank, move, merge, redirect this page, or remove this notice from the page. |
 | This article possibly contains original research. (January 2012) |
In computer security and usability of software systems, a secure error message in a software system is an error message designed to prevent security vulnerabilities.
The designer should give the user enough information to make an intelligent decision, but not so much information that the user is overwhelmed or confused. Extraneous information may be hid by default or placed in a separate location. Error message should not expose information that can be exploited by a cracker to obtain information that is otherwise difficult to obtain. Examples are systems which may show either "invalid user" or "invalid password" depending on which is incorrect, and the error page in the web server IIS 5.0 which provides a complete technical description of the error including a source code fragment.
External links
- Everett McKay. MSDN: Writing Error Messages for Security Features.