Professional Documents
Culture Documents
Secure Error - Exception Handling. Error and Exception Handling Are Very - by Janani Subbiah - Codeburst
Secure Error - Exception Handling. Error and Exception Handling Are Very - by Janani Subbiah - Codeburst
Secure Error - Exception Handling. Error and Exception Handling Are Very - by Janani Subbiah - Codeburst
Be part of a better internet. Get 20% off membership for a limited time
https://codeburst.io/secure-error-exception-handling-6745c3945116 1/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
https://codeburst.io/secure-error-exception-handling-6745c3945116 2/14
understand what to do next (if there is something for them to do). But what if I told
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
you that sometimes your error messages need to be presented at a high level
without the intricacies of exactly what error occurred?
Securing applications is a Herculean task in and of itself. There really isn’t a one-
size-fits-all solution across applications and within the different layers of a single
application. When we talk about security, securing applications for happy path
scenarios comes to mind first: User makes a request with incorrect credential(s) and
application denies the request, if the credentials are correct then the application
processes that request. This is important and kind of obvious. But what is less
obvious is how we handle errors and exceptions in secure applications. How we
handle exceptions also depends on which layer of security the user is at: Have they
authenticated yet? Do they have the right permissions? etc.
Ideally, I would have liked to list out generic scenarios with recommendations on
how to handle errors and exceptions but I feel like it might be more useful to talk
about specific error handling scenarios in secure applications. But before we do that
I want to oversimplify and talk about the two layers of security: authentication and
authorization.
Layers of Security
https://codeburst.io/secure-error-exception-handling-6745c3945116 3/14
is verifying if you are who you say who you are and authorization is verifying if you
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
are allowed to make the request you are trying to make (or access the resource you
are trying to access).
With any secure software application, authentication is your first defense. If a user
makes a request to access a protected resource (meaning valid auth credentials need
to be provided for access), valid authentication credentials have to be provided,
failing which the user should be denied the request. In the context of a ReST API
service, such a request would result in a 401 error status code.
The next layer of defense is your authorization layer: The one where the application
validates and verifies that the user (identified by their authentication credentials)
can access the resource they are trying to access. This may not apply to all
applications and if it did then it could be roles or permissions-based (OWASP’s cheat
sheet on access control may come in handy here). In the context of a ReST API
service, such a request would result in a 403 error response. It is important to note
that authentication failure results in a 401 while an authorization failure results in a
403 and this distinction is extremely important in conveying what needs to be fixed
before the request can succeed!
Once a user successfully passes those two layers of defense, then comes all other
validations on the incoming request. It is important to note that, in most scenarios,
processing the request should be delayed until the user gets through the
authentication and authorization layers successfully.
https://codeburst.io/secure-error-exception-handling-6745c3945116 4/14
things like max login attempts, email verification, two-factor auth, etc.
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
We can use our login example again here. Most applications do not require any auth
to access the login functionality (think about the login page that displays text fields
for users to enter a username and password). Users need valid auth to get past the
login page but the actual login page itself is accessible to anyone on the internet.
Security errors in such scenarios should not only be generic but also should make
sure secure information is never exposed.
Logging
Logging is great. Logging is a requirement that allows developers to trace back what
happened and figure out why. But, logs should not under any circumstance expose
sensitive information in any form. All such information should be masked
appropriately or not logged at all!
Permissions should not be exposed
As far as role/permission-based access control goes, it is good practice to let the user
know what permissions they have vs what they need to access a resource. Let us
consider an example:
The error message in this scenario should say something along the lines of
“Does not have permissions to perform this operation” and not get into the
specifics of why maybe required to perform that task. This is just something to
keep in mind and be aware of. There might be scenarios where this does not
apply but understanding the risk of exposing permissions helps makes informed
https://codeburst.io/secure-error-exception-handling-6745c3945116 5/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
Conclusion
These scenarios are NOT an exhaustive list. There are several other security-related
error scenarios where extra care is required for error handling. I highly recommend
reading OWASP guidelines while building any software application. It is one of the
best aggregations of security-related information in a single location. I hope this
post can get us all to start thinking about the error and exception handling with
regards to security in a new light where sometimes the lesser the information
exposed, the more secure (and better) it is for the application!
Software Development
Follow
https://codeburst.io/secure-error-exception-handling-6745c3945116 6/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
Configuration or AutoConfiguration?
Understanding the difference between Configurations and AutoConfigurations in Spring boot!
102 1
https://codeburst.io/secure-error-exception-handling-6745c3945116 7/14
4 min read · Mar 27, 2017Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
6/21/24, 10:41 AM
7.2K 48
javinpaul in codeburst
829 8
https://codeburst.io/secure-error-exception-handling-6745c3945116 8/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
187 1
https://codeburst.io/secure-error-exception-handling-6745c3945116 9/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
450 16
https://codeburst.io/secure-error-exception-handling-6745c3945116 10/14
· 4 min read · Jun 1, 2024
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
7.3K 74
Lists
Leadership
50 stories · 359 saves
https://codeburst.io/secure-error-exception-handling-6745c3945116 11/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
https://codeburst.io/secure-error-exception-handling-6745c3945116 12/14
6/21/24, 10:41 AM Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
2.7K 16
Chetan Patil
https://codeburst.io/secure-error-exception-handling-6745c3945116 13/14
4 min read · Apr 7, 2024 Secure Error/Exception Handling. Error and exception handling are very… | by Janani Subbiah | codeburst
6/21/24, 10:41 AM
53
https://codeburst.io/secure-error-exception-handling-6745c3945116 14/14