Chapter 23. General Good Practices
This chapter is a little different from the others. It addresses aspects of writing secure applications that are important but that don’t require an entire chapter to explain. Consider this chapter a catchall!
Don’t Tell the Attacker Anything
Cryptic error messages are the bane of normal users and can lead to expensive support calls. However, you need to balance the advice you give to attackers. For example, if the attacker attempts to access a file, you should not return an error message such as “Unable to locate stuff.txt at c:\secretstuff\docs”—doing so reveals a little more information about the environment to the attacker. You should return a simple error message, such as “Request Failed,” and log the error ...
Get Writing Secure Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
