Error Handling and Logging

Do not disclose sensitive information in error responses, including system details, session identifiers or account information.
Use error handlers that do not display debugging or stack trace information.
Implement generic error messages and use custom error pages.
The application should handle application errors and not rely on the server configuration.
Properly free allocated memory when error conditions occur.
Error handling logic associated with security controls should deny access by default.
All logging controls should be implemented the server.
Logging controls should support both success and failure of specified security events.
Ensure logs contain important log event data.
Ensure log entries that include un-trusted data will not execute as code in the intended log viewing interface or software.
Restrict access to logs to only authorized individuals.
Utilize a master routine for all logging operations.
Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords.
Ensure that a mechanism exists to conduct log analysis.
Log all input validation failures.
Log all authentication attempts, especially failures.
Log all access control failures.
Log all apparent tampering events, including unexpected changes to state data.
Log attempts to connect with invalid or expired session tokens.
Log all system exceptions.
Log all administrative functions, including changes to the security configuration settings.
Log all backend TLS connection failures.
Log cryptographic module failures.
Use a cryptographic hash function to validate log entry integrity.