Skip to main content
All docs
V24.2

Prevent Exposure of Sensitive Information

  • 3 minutes to read

To help protect your application from specific security-related risks (exposure of sensitive information), follow the suggestions outlined in this help topic.

Prevent Exposure Through Error Messages

Unintended security risks may be introduced when a server throws an exception. A detailed exception message may include sensitive information about the application environment, users, or associated data (CWE-209).

Use the customErrors option to display custom error messages instead of standard ASP.NET error messages. The mode attribute specifies whether to enable/disable custom errors for local host and remote clients. The following example redirects users to custom error pages when a server error occurs:

<customErrors mode="On" defaultRedirect="~/Error500.aspx" redirectMode="ResponseRewrite">
  <error statusCode="404" redirect="~/Error404.aspx" />
  <error statusCode="500" redirect="~/Error500.aspx" />
</customErrors>

Do not display Exception.Message values in your application UI because such values can include sensitive information. Use custom messages instead:

<form id="form1" runat="server">
    <dx:ASPxTextBox ID="EmailTextBox" runat="server" Caption="Email">
        <ValidationSettings RequiredField-IsRequired="true"></ValidationSettings>
    </dx:ASPxTextBox>
    <dx:ASPxLabel runat="server" ID="UpdateStatusLabel" Visible="true" />
    <dx:ASPxButton ID="UpdateButton" runat="server" Text="Update" OnClick="UpdateButton_Click" />
</form>
protected void UpdateButton_Click(object sender, EventArgs e) {
    try {
        // ...
    } catch(Exception ex) {
        if(ex is InvalidOperationException)
            ValidationStatusLabel.Text = "Some error occured...";
        else
            ValidationStatusLabel.Text = "General error occured...";
    }
}

Prevent Exposure Through Client-Side API

This section describes ways to prevent unauthorized client-side access to data fields in Card View, Grid View, Tree List, and Vertical Grid controls.

Prevent Access to Hidden Column Data

Grid-like controls allow you to hide specific columns from individual users. These controls do not display hidden columns to specific users but allow you to access hidden column data on the server or client side. Set the AllowReadUnexposedColumnsFromClientApi property to False to disable client-side access to data fields bound to hidden columns:

<dx:ASPxGridView ID="grid" runat="server" DataSourceID="CustomersDataSource" KeyFieldName="CustomerID">
    <SettingsDataSecurity AllowReadUnexposedColumnsFromClientApi="False" />
    <Columns>
        <dx:GridViewDataColumn FieldName="ContactName" />
        <dx:GridViewDataColumn FieldName="CompanyName" />
        <dx:GridViewDataColumn FieldName="City" />
        <dx:GridViewDataColumn FieldName="Country" />
    </Columns>
</dx:ASPxGridView>

Prevent Access to Unlisted Fields

Grid-like controls prevent client access to data fields that are not bound to a column. You should not override this behavior (set AllowReadUnlistedFieldsFromClientApi to True) because it may introduce security-related issues.

<dx:ASPxGridView ID="grid" runat="server" DataSourceID="CustomersDataSource" KeyFieldName="CustomerID">
    <SettingsDataSecurity AllowReadUnlistedFieldsFromClientApi="False" />
    <Columns>
        <dx:GridViewDataColumn FieldName="ContactName" />
        <dx:GridViewDataColumn FieldName="CompanyName" />
        <dx:GridViewDataColumn FieldName="City" />
        <dx:GridViewDataColumn FieldName="Country" />
    </Columns>
</dx:ASPxGridView>

To further protect your application, execute separate queries for data sources displayed within the UI, and never request sensitive information/data.

Prevent Exposure Through Source Code

The default DevExpress HTTP handler (DXR.axd) serves static images, scripts, and styles. These static files are intended for public access and do not expose sensitive information or server-side code. To protect your application from CWE-540 and CWE-615 security risks, follow these recommendations:

  • Do not hardcode any credentials in custom scripts and styles.
  • Obfuscate custom scripts that offer threat actors information about the backend system, its architecture, or possible vulnerabilities.

    function s1(){
        // ...
    }