Handle all Errors and Exceptions Checklist
4.2.10 Checklist: Handle all Errors and Exceptions
Handling exceptions and errors correctly is critical to making your code reliable and secure. Error and exception handling occurs in all areas of an application including critical business logic as well as security features and framework code.
Refer to proactive control C3: Validate all Input & Handle Exceptions and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.
1. Errors and exceptions
- Manage exceptions in a centralized manner to avoid duplicated try/catch blocks in the code
- Ensure that all unexpected behavior is correctly handled inside the application
- Ensure that error messages displayed to users do not leak critical data, but are still verbose enough to enable the proper user response
- Ensure that exceptions logs give enough information for support, QA, forensics or incident response teams
- Carefully test and verify error handling code
- Do not disclose sensitive information in error responses, for example system details, session identifiers or account information
- Use error handlers that do not display debugging or stack trace information
- Implement generic error messages and use custom error pages
- The application should handle application errors and not rely on the server configuration
- Properly free allocated memory when error conditions occur
- Error handling logic associated with security controls should deny access by default
References
- OWASP Code Review Guide: Error Handling
- OWASP Improper Error Handling
- OWASP Top 10 Proactive Controls
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage