Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Microsoft IIS webserver.

  1. In IIS Manager, select your site and open Error Pages.

  2. For each error code (especially 500), set the error response to a custom static HTML page that does not reveal internal details.

  3. In web.config, set:

    <system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace" />
</system.webServer>

  4. For ASP.NET applications, ensure customErrors is enabled in web.config:

    <customErrors mode="RemoteOnly" defaultRedirect="/errors/GeneralError.aspx" />
Back to top