NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-11 — Error Handling
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and Reveal error messages only to {{ insert: param, si-11_odp }}.
Supplemental Guidance
Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.
Practitioner Notes
Handle errors in a way that reveals useful information to legitimate users but not to attackers. Error messages should help users fix problems without exposing system internals.
Example 1: Configure your web applications to display user-friendly error pages ("Something went wrong. Please contact support.") rather than stack traces, database connection strings, or file paths. Log the detailed error information server-side for your developers.
Example 2: In IIS, configure custom error pages and disable detailed error messages for remote clients. Set the customErrors mode to "On" or "RemoteOnly" in web.config. Remote users see a generic error page; only requests from localhost see detailed debugging information.