question

GQ-4943 avatar image
0 Votes"
GQ-4943 asked SamWu-MSFT commented

Hide / Remove Stack Trace information

Kindly find the link for error details.

Error 400 Stack trace sample

The background is that my users are running a web-based COTS product. Recently, the application went through a vulnerability assessment, and one of the issues found was related to the exposure of information via Stack Trace. Over at our end we tried the following:

  • Assign an error page for error 400 via IIS and restarted IIS

  • Ensure the following is correct and inside web.config: <trace enabled="false" localOnly="true">

  • Ensure the following is correct and inside web.config too: <customErrors mode="On" defaultRedirect="error.aspx" />

But the Stack Trace info still appear. I have no idea what else is causing the stack trace to still appear for that particular 400 error. The other errors were fine and catered for during the scan, with no stack trace information appearing. Anyone have any idea what else I can do? Is there a chance it's caused by the COTS application instead?

Do note that my end goal is not to resolve 400 errors, but to hide/remove stack trace information for any error 400 occurrences.



windows-server-2016windows-server-iis
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Stack trace is automatically inserted in Exception body to help you trace when caused the exception.

If you don't want to show it, direct "request with error" to custom error page.


0 Votes 0 ·

Hi Cheong00,

I have already performed a redirect: <customErrors mode="On" defaultRedirect="error.aspx" />
I believe I do not need to specify another individual page for error 400?

0 Votes 0 ·

Seems for .NET Core MVC, you'll need additional configuration in code.

If it's .NET MVC you may try to handle it in Global.asax.


0 Votes 0 ·
Show more comments

1 Answer

SamWu-MSFT avatar image
0 Votes"
SamWu-MSFT answered SamWu-MSFT commented

Hi @GQ-4943

You can try to configure <requestFiltering> to DENY the verb TRACE.

 <requestFiltering>
        <verbs>
              <add verb="TRACE" allowed="false" />
        </verbs>
  </requestFiltering>

More information you can refer to this link: verbs.


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Sam,

As mentioned we already tried this at our end inside web.config file.

0 Votes 0 ·

@GQ-4943 Sorry for not understanding your question, can you show me your web.config file?

0 Votes 0 ·

Hi Sam,

Unfortunately I am not able to provide the web.config file due to internal security policies.

I am quite sure these three are in place already, but they are not working:

  • Assign an error page for error 400 via IIS and restarted IIS

  • Ensure the following is correct and inside web.config: <trace enabled="false" localOnly="true">

  • Ensure the following is correct and inside web.config too: <customErrors mode="On" defaultRedirect="error.aspx" />

0 Votes 0 ·
Show more comments

Hi Sam,

We are not trying to block incoming HTTP requests. We just want to remove/hide the stack trace information that would be exposed.

0 Votes 0 ·

@GQ-4943 What project are you using? asp.net or others?

0 Votes 0 ·

Hi Sam,

As mentioned it's a COTS product. But it should be based on ASP.NET

0 Votes 0 ·
Show more comments