How to set up web.config customErrors



CustomErrors are also often seen in development deployment < customErrors mode = “off” / >, so that detailed error information can be seen on the page. But it also provides clues for hackers to attack.


There are three optional settings for this node

  1. On: the safest option for server development because it always hides error messages.
  2. Remoteonly: display general error messages to most users, but complete error messages to users with server access. In other words, display custom errors only to the remote client and errors to the local host. Default value.
  3. Off: the most vulnerable option, which shows detailed error messages to every user visiting the site.

Detailed error information may expose the internal structure of the application. For example, if an error is reported in a written SQL statement, data tables and SQL statements may be exposed, which is very unsafe. Under the off setting, hackers will constantly try to pass different parameters, make your website go wrong, and then expose the internal structure of your application.


For example:

  <authentication mode="None" />
  <compilation debug="true" targetFramework="4.5" />
  <httpRuntime targetFramework="4.5" />
  <customErrors mode="Off" defaultRedirect="error">

Throw an exception directly in testaction, then we can see a yellow page similar to the following

On the yellow page, you can see that the page corresponds to the logical stack information, and then exposes the project structure information. Very unsafe.

So if mode = off and the error is recorded and cleared in the event application error, what results will be seen?

protected void Application_Error(object sender, EventArgs e)
      var context = HttpContext.Current;
      if (context != null)

        Exception objErr = context.Server.GetLastError();
        if (objErr != null)
          string err = "Error Caught in Application_Error event/n" + "Error in:" 
+ Request.Url.ToString() + "/nError Message:" + objErr.Message.ToString() +
       "/nStack Trace:" + objErr.StackTrace.ToString();
        ,,,,, log logic

 <customErrors mode="Off" defaultRedirect="Error">   

Defaultredirect specifies the default URL the browser points to when an error occurs. If defaultredirect is not specified, a general error is displayed. The URL can be either absolute (for example, or relative. Relative URLs (such as / errorpage. HTM) are relative to the web.config file that specifies defaultredirect, not to the page that generated the error. A URL starting with a tilde (~), such as ~ / errorpage. HTM, indicates that the specified URL is relative to the application root path.

Through the above operation, if off is set and an exception is caught in the application error event, and server. Clearerror(), a blank page will be displayed in the front page if an error is reported.

It can also be explained that if the application program fails, the application error event triggered first, and after clearerror, the result will not be seen on the page.


When on mode is set, if there is an error in the application, it will jump to the customized error page. The defaultredirect property is used here, and < error statuscode = “500” redirect = “error” / >


Literally, only remote, only remote what? Here’s an example. In the current coding environment, through vs debugging status, users who want to access remotely can use this machine as a server. So this is local. The browser for remote access is remote.

You can see that on the server side, you can still see the yellow page when you visit it, which is the error mentioned above. So what happens when we deploy the site on the server and then access it locally?

If you access the URL of the server through the client, you will jump to the default custom error page. So what’s the situation on the server side?

Description: displays custom errors only to remote clients and errors to local hosts


Therefore, do not shut down customErrors in the production environment. It is recommended to turn on remoteonly or on and define a custom error page.

The above is the whole content of this article. I hope it will help you in your study, and I hope you can support developepaer more.