Custom error pages are one of the things that I have always seen in the nice to have requirements document when I was a software developer. You know, when we are done with the “real work”, you will start putting those in web.xml or web.config and start testing them out.
It almost never happened.
There were so many excuses, no time for starters. Sometimes, it was hard to get the log files from the production server so error pages, as bad as they were, were being looked at as a faster way to see the bug and get it fixed quickly to get that manager off our backs.
Plus, why implement something that will never be used, don’t we create perfect code anyways? all the time?
My experience in software security and my deep interest in graphic design taught me differently.
Neglecting custom error pages can add a HUGE security hole in your application. 75% of the attacks that happen on the internet today are targeted towards the application level. This includes your application but more importantly the underlying systems that support your application, like IIS, SQL Server, mySQL….etc. There are a lot of vulnerabilities with every single underlying system you might imagine. Windows, SQL Server, .NET, Oracle….etc. The attacker just wants to know which system you are using and then it is just a matter of time until they are able to penetrate it specially for non-patched systems.
Custom error pages keeps you in control: Although, we know that it is pretty much a bug and something went wrong with the application but a nicely designed error page allows you to fail with grace. Users wouldn’t think of this as a screwed up application, they will feel like being informed of what’s going and that’s it. It gives you a chance to say: I screwed … I am sorry
Your customers will appreciate it.
Custom error pages are user friendly. You know the ugly stack traces FREAK people out? Don’t you? The first thing I (and I am a software developer) think is: What did I do wrong?. You don’t want your customer to feel guilty or bad using your application. Custom error pages communicates the message to your users that it is the application’s fault, we are sorry and please come back again.
Users will understand. I do every single time LinkedIn gives me the screen above.
Custom error pages can add traffic to your web application: Just a last thought, if you changed your website and a customer bookmarked one of the old pages, he will get a 404 with the new website and he might not come back again, specially with traffic shapingsteeling ISPs. With the custom error pages, it is a way to redirect this user back to the new website by providing a nicely designed 404 page with a link to the home page. This can add a lot of lost traffic back to you mainstream.
How did custom error pages help you?