Best practices with custom error pages

Article translations Article translations
Article ID: 834452 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

Custom error pages are designed to display detailed error information that helps administrators and developers to troubleshoot and to solve Active Server Pages (ASP) coding issues. However, this detailed error information can provide the name of the ASP script that caused the error, a relative path to the script's location, and information about the line in the script that caused the error. This information could be used maliciously.

The following is an example of such an error:
Technical Information (for support personnel)

Error Type:
Microsoft VBScript runtime (0x800A01A8)
Object required: ''
/error.asp, line 20


Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 

Page:
GET /error.asp 

Time:
Wednesday, January 07, 2004, 8:28:37 PM 

MORE INFORMATION

The Custom Error Pages feature relies on 500-100.asp. The default 500-100.asp file showcases some of the error reporting abilities that are available with custom error pages. Administrators and developers use this information to troubleshoot custom ASP applications. However, some of the information that is made available in 500-100.asp could be used maliciously.

On production Web sites that use the Custom Error Pages feature, Microsoft recommends that developers create their own custom error pages to provide customer-friendly information, such as support numbers and e-mail addresses, to permit customers to inform the system administrators of problems that they experience on the Web site.

The following is an example of a secure custom error page:
<%@ language="VBScript" %>

<%

  Option Explicit

 

  If Response.Buffer Then

    Response.Clear

    Response.Status = "500 Internal Server Error"

    Response.ContentType = "text/html"

    Response.Expires = 0

  End If

 

%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>The page cannot be displayed</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">

<STYLE type="text/css">

  BODY { font: 8pt/12pt verdana }

  H1 { font: 13pt/15pt verdana }

  H2 { font: 8pt/12pt verdana }

  A:link { color: red }

  A:visited { color: maroon }

</STYLE>

</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

 

<h1>The page cannot be displayed</h1>

There is a problem with the page you are trying to reach and it cannot be displayed.

<hr>

<p>Please try the following:</p>

<ul>

<li>Contact the Web site administrator to let them know that this error has occured for this URL address.</li>

</ul>

<h2>HTTP 500.100 - Internal server error: ASP error.<br>Internet Information Services</h2>

<hr>

</TD></TR></TABLE></BODY></HTML>

REFERENCES

For more information about using custom error pages in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
311766 How Web site administrators can troubleshoot an "HTTP 500 - Internal Server Error" error message on IIS 4.0 or on IIS 5.0
814869 Custom error messages in IIS 6.0
For more information about creating custom ASP error pages for use in development environments, click the following article number to view the article in the Microsoft Knowledge Base:
224070 Creating custom ASP error pages

Properties

Article ID: 834452 - Last Review: December 3, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 6.0
Keywords: 
kbhowto KB834452

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com