Skip to content
Error Handling and Logging
- Do not disclose sensitive information in error responses, including system details, session identifiers or account information.
- Use error handlers that do not display debugging or stack trace information.
- Implement generic error messages and use custom error pages.
- The application should handle application errors and not rely on the server configuration.
- Properly free allocated memory when error conditions occur.
- Error handling logic associated with security controls should deny access by default.
- All logging controls should be implemented the server.
- Logging controls should support both success and failure of specified security events.
- Ensure logs contain important log event data.
- Ensure log entries that include un-trusted data will not execute as code in the intended log viewing interface or software.
- Restrict access to logs to only authorized individuals.
- Utilize a master routine for all logging operations.
- Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords.
- Ensure that a mechanism exists to conduct log analysis.
- Log all input validation failures.
- Log all authentication attempts, especially failures.
- Log all access control failures.
- Log all apparent tampering events, including unexpected changes to state data.
- Log attempts to connect with invalid or expired session tokens.
- Log all system exceptions.
- Log all administrative functions, including changes to the security configuration settings.
- Log all backend TLS connection failures.
- Log cryptographic module failures.
- Use a cryptographic hash function to validate log entry integrity.