I was working on my site, and I made an error in my web.config file, so that when I tried to login, I was transferred to a "Server Error" page with the Error Summary "HTTP Error 500.19 - Internal Server Error. The requested page cannot be accessed because the related configuration data for the page is invalid." OK, fair enough... I goofed. But what concerns me is that it includes a "Detailed Error Information" section, exposing the Physical Path to the file, and a few lines from the Web.config file (indicating on which line in the file the error was encountered). This seems like a serious security risk since the web.config file can have secure information. Is there a setting I can change so that such a Server Error does not expose this much information? Also, the detailed information stated "Failed Request Tracing Log Directory: E:\web\<myAccountName>\htdocs\tmpData", but I could not find any files there. Any suggestions? Thanks
You can set custom error pages for your 500, 400, and all other errors and display custom message to the users. Please see this article for details. You need to enable failed request tracing in IIS Manager. Please see this blog post for the instructions.
Thanks Dmitri. OK, it looks like I can redirect errors using either: - the web.config - the custom errors tab in the IIS Tools section of the control panel - the remote MS IIS Manager. And after finally RTFM, I realized that I had to go to IIS Manager to select the errors I wanted logged. One snag I am hitting with the custom errors: when I type in a non-existing page on my site, I get the proper custom error (for a 404). But if I type in the name of a page or folder that is locked via a web.config file, I am still getting a Microsoft Error page: Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Any further suggestions for this one? Thanks again.
