The detailed errors also reveal HTTP substatus codes, which are helpful in debugging complex issues. The bad guys out there could use this information to conduct attacks on a web server or website. That is why the IIS server only shows a custom error page for remote requests by default.
Why are detailed errors important? ^
As discussed above, detailed errors are important when you want to debug a problem in a website hosted on a server running IIS. The custom error page shows an error message that is usually ambiguous. Let's have a look at the two screenshots below:
The above screenshot shows a typical 403 – Forbidden: Access is denied error using the custom error page displayed by IIS. It is not very helpful for website administrators. Now, let's have a look at the following screenshot:
This screenshot shows the same error with detailed error mode enabled. Now, it shows plenty of useful information that an administrator can use to identify the cause and fix the problem.
Enabling detailed errors using the IIS manager ^
To enable detailed errors:
- Open the IIS manager by pressing WinKey+R, typing inetmgr, and pressing Enter.
- Expand the Sites node and select the website for which you want to enable detailed errors.
- Under the IIS section in the Features View, double-click Error Pages (see the following screenshot).
- In the Actions pane on the right, click Edit Feature Settings.
- In Error Responses, you will see three options:
- Custom error pages
- Detailed errors
- Detailed errors for local requests and custom error pages for remote requests (default)
- Now select either the second or third option and click OK.
Since you can directly access the web server using remote desktop, selecting the third option is best. Now, you can open the web browser on the server itself and try to load the problematic webpage to see a detailed error page containing more technical information. By doing this, you're not enabling the bad guys out there to view the detailed information, since the detailed error is only displayed for local requests.
Enabling detailed errors using the web.config file ^
There are situations in which you cannot use the IIS manager to enable detailed errors. For example, if your website is hosted on a shared hosting site, you won't have access to the IIS manager. In such scenarios, you could enable detailed errors using the web.config file, which is usually located in the root directory of the website. Just add the following line inside the <system.webServer> tag:
<httpErrors errorMode="Detailed" />
Remember that by adding this line to the web.config file, you are forcing IIS to throw the detailed errors for local or remote requests.
Subscribe to 4sysops newsletter!
Once you identify the root cause of the problem, it is always recommended to disable detailed errors to prevent your website from revealing sensitive information.