Prevent Exposure of Sensitive Information
- 3 minutes to read
To help protect your application from specific security-related risks (exposure of sensitive information), follow the suggestions outlined in this help topic.
Prevent Exposure Through Error Messages
Unintended security risks may be introduced when a server throws an exception. A detailed exception message may include sensitive information about the application environment, users, or associated data (CWE-209).
Use the customErrors option to display custom error messages instead of standard ASP.NET error messages. The mode attribute specifies whether to enable/disable custom errors for local host and remote clients. The following example redirects users to custom error pages when a server error occurs:
<customErrors mode="On" defaultRedirect="~/Error500.aspx" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="~/Error404.aspx" />
<error statusCode="500" redirect="~/Error500.aspx" />
</customErrors>
Do not display Exception.Message values in your application UI because such values can include sensitive information. Use custom messages instead:
public ActionResult FormWithErrorMessage(EditFormItem item) {
if(ModelState.IsValid) {
try {
// ...
} catch(Exception ex) {
if(ex is InvalidOperationException) {
ViewData[UpdateStatusKey] = "Some error occured...";
} else {
ViewData[UpdateStatusKey] = "General error occured...";
}
}
} else
ViewData[UpdateStatusKey] = "Please, correct all errors.";
return View(item);
}
Prevent Exposure Through Client-Side API
This section describes ways to prevent unauthorized client-side access to data fields in Card View, Grid View, Tree List, and Vertical Grid extensions.
Prevent Access to Hidden Column Data
Grid-like extensions allow you to hide specific columns from individual users. These extensions do not display hidden columns to specific users but allow you to access hidden column data on the server or client side. Set the AllowReadUnexposedColumnsFromClientApi
property to False
to disable client-side access to data fields bound to hidden columns:
@Html.DevExpress().GridView(settings => {
settings.Name = "grid";
settings.CallbackRouteValues = new { Controller = "Columns", Action = "ColumnResizingPartial" };
settings.SettingsDataSecurity.AllowReadUnexposedColumnsFromClientApi = DefaultBoolean.False;
settings.Columns.Add("ContactName");
settings.Columns.Add("CompanyName");
settings.Columns.Add("City");
settings.Columns.Add("Country");
}).Bind(Model).GetHtml()
Prevent Access to Unlisted Fields
Grid-like extensions prevent client access to data fields that are not bound to a column. You should not override this behavior (set AllowReadUnlistedFieldsFromClientApi
to True
) because it may introduce security-related issues.
@Html.DevExpress().GridView(settings => {
settings.Name = "grid";
settings.CallbackRouteValues = new { Controller = "Columns", Action = "ColumnResizingPartial" };
settings.SettingsDataSecurity.AllowReadUnlistedFieldsFromClientApi = DefaultBoolean.False;
settings.Columns.Add("ContactName");
settings.Columns.Add("CompanyName");
settings.Columns.Add("City");
settings.Columns.Add("Country");
}).Bind(Model).GetHtml()
To further protect your application, execute separate queries for data sources displayed within the UI, and never request sensitive information/data.
Prevent Exposure Through Source Code
The default DevExpress HTTP handler (DXR.axd) serves static images, scripts, and styles. These static files are intended for public access and do not expose sensitive information or server-side code. To protect your application from CWE-540 and CWE-615 security risks, follow these recommendations:
- Do not hardcode any credentials in custom scripts and styles.
Obfuscate custom scripts that offer threat actors information about the backend system, its architecture, or possible vulnerabilities.
function s1(){ // ... }