Map server error messages to custom error messages

Backend server error messages (for example, Java stack trace) can reveal internal information to hackers. API Security Enforcer (ASE) supports hiding the internal details and only sending a customized simple error message. The error message mappings are defined in /config/server_error.json file.

Diagram of ASE returning Client Error Message: 405 Unauthorized

For each custom HTTP error code, specify all three parameters in server_error.json. For example, the snippet of server_error.json shows parameters for mapping error codes 500 and 503.

{
 "server_error": [
 {
 "error_code" : "500",
 "error_def" : "Internal Server Error",
 "msg_body" : "Contact Your Administrator"
 },
 {
 "error_code" : "503",
 "error_def" : "Service Unavailable",
 "msg_body" : "Service Temporarily Unavailable"
 }
 ]
}

In the above example, an ASE which receives an error 500 or 503 message from the application replaces the message with a custom name error_def and message msg_body as defined in the server_error.json file.

To send the original error message from the backend server, do not include the associated error code in the server_error.json file. An empty server_error.json file as shown below will not translate any backend error messages.

{
 "server_error": [
 ]
}

ASE checks for the presence of the server_error.json file. If this file is not available, ASE will not start.

PingIntelligence

Map server error messages to custom error messages