Securing error messages
Enable the omit-error-message-details
Metrics HTTP Servlet Extension Configuration object.
About this task
When developing an application that uses the PingDataMetrics server API, error messages should not be delivered from the API directly to a user. Also, the application should not depend on error messages or reason text. These messages can change over time, and their presence can depend on server configuration. Use the HTTP return code and the context of the request to create a client error message that displays to the user.
The PingDataMetrics server API has an omit-error-message-details
Metrics HTTP Servlet Extension Configuration object. When enabled, this object restricts error messages to the typical reason phrase associated with the HTTP return code, such as Not Found
for an HTTP 404
error. This prevents the server from inadvertently revealing information about itself or its data.
Steps
-
To enable the
omit-error-message-details
object, run the following command:$ bin/dsconfig set-http-servlet-extension-prop \ --extension-name "{pingdatamet} Server REST API Servlet" \ --set omit-error-message-details:true