Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Microsoft IIS webserver.

  1. Configure custom error pages so that detailed error information is never sent to clients.

  2. Open IIS Manager > select your site > Error Pages.

  3. For each HTTP error code, set the response to a custom static HTML page that does not reveal stack traces or application internals.

  4. Ensure httpErrors mode is set to Custom in web.config:

    <system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="500" />
<error statusCode="500" path="/errors/500.html" responseMode="File" />
</httpErrors>
</system.webServer>
Back to top