One big part of web hosting that is easy to overlook is error message security. Every website is bound to display an error message from time to time, whether it is for a failed login attempt or an incorrect page URL. How does security relate to error messages? The more specific those messages are, the more likely you are to open up your website to possible threats.
Example 1: If you have any type of login form on your site, you will likely have some people trying to login and take over another user’s account. Often times, they will try easy-to-guess username/password combinations, and if you give away too much information, it will make it that much easier for them to get in and do damage.
If, for example, they get the username correct but fail to use the correct password, your error message should not read “Your password was incorrect”. This will tell them they can keep guessing passwords for that user. Instead keep it as vague as possible: “Incorrect username or password”.
Example 2: Server information can help cyber criminals determine what type of attacks will be effective against you. When your error messages give away information about your server, you have done half of the work for them. A server error message should not include “Apache version 2.x. Cent OS Version 6.x” or anything that gives away your software or operating system type and/or version. You can learn how to customize Apache error codes at ServerSchool.com.
There are other general error messages that can reveal far too much about your server, such as detailed PHP error information. The important thing to remember is that less information makes it more difficult for would-be attackers. Security through obscurity alone will not stop attacks completely, but combined with other sound security techniques, it can help your website stay safe.