Skip to content

System Internal Information

Keep system internal information for itself

  • Any kind of information about the internal system like software and versions (e.g. "Apache 2.2") must not be made accessible to the user, neither in error messages nor in HTTP headers etc.
  • Stack traces must not be displayed on the user interface. Instead, error pages must be used for controlled display.
  • Debug information must not be displayed on the interface.
  • Personally-identifiable information (e.g. passwords) must not be logged in plain text, but at least with a pointer.