10 Error handling
This chapter covers
- How ASP.NET Core handles uncaught exceptions
- When to use the developer exception page, and when not to
- Setting up a custom error page
- Displaying specific error messages depending on the HTTP status code
- Properly formatting errors within an API
In 2018, healthcare and health IT news portal “Healthcare Dive” reported about a white paper by security company, Zingbox, which analyzed medical IoT devices (https://www.healthcaredive.com/news/hackers-exploit-data-in-error-messages-to-attack-connected-medical-devices/533329/). They took a specific look at the error messages displayed on those devices. As they found out, the following information was included in several devices:
- Database names and user names
- File paths on the server
- Source code file names, and the names of classes, methods, and parameters
- Source code line numbers
- Full stack traces
- And more
Error messages may be crucial during development. On a production system, they may have an entirely different impact—telling attackers intimate details about the system and software, that is. With our ASP.NET Core applications, we need to, and can, make it better.