Your web server responds to the customer’s browser with a raw HTTP 500 message. To avoid disclosing too much system information and improve user experience, which of the following is the best solution? (Wentz QOTD)
A. Input validation
B. Bound checking
C. Exception handling
D. Change management
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Exception handling.
HTTP status code 500 means “Internal Server Error,” typically caused by program error or exception. If the exception is not handled appropriately and the system setting is not configured properly, the raw error message may respond to the clients that may disclose too much information or lead to a data breach, as the following diagram shows. Exception handling and appropriate configuration avoid this situation.
- Six Sigma
- The Use of Six Sigma in Security
- ISACA’s Guide to COBIT 5 for Information Security
- HTTP Response Status and Error Codes
- Bypassing IIS Error Messages in ASP.NET
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的Web服務器回應了原始的HTTP 500訊息到客戶的瀏覽器。為避免洩露過多的系統訊息並改善用戶體驗，以下哪項是最佳解決方案？(Wentz QOTD)
A. 輸入驗證 (Input validation)
B. 邊界檢查 (Bound checking)
C. 異常處理 (Exception handling)
D. 變更管理 (Change management)