[ https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14172086#comment-14172086 ]
Dominique Jäggi commented on SLING-4049: ---------------------------------------- {quote}The error handling system is configurable and I would think that for a production setup custom errorhandler scripts should be created which don't expose stacktraces, request progress trackers, and system version.{quote} i don't think a production customer would understand the need to deploy custom code simply to turn off insecure stack traces / request progress. this sounds like wanting to evade the (rather minimal) effort of making this configurable. > Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress > ----------------------------------------------------------------------------- > > Key: SLING-4049 > URL: https://issues.apache.org/jira/browse/SLING-4049 > Project: Sling > Issue Type: Improvement > Components: Servlets > Reporter: Dominique Jäggi > > it should be configurable whether during error display (40x, 50x, etc) > stacktraces or the request progress is displayed or not. > for production systems it is undesirable to exhibit information that may > allow an attacker to determine internal information such as used scripts, > paths, classes, line numbers, etc. > ideally this could be centrally configured, affecting both e.g. the JSP > handlers (404.jsp) as well as any other facility outputting error conditions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)