PCI compliance failing

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
3 years ago
Hello-

The most recent PCI scans on our site indicate we are failing due to exposed Windows file paths.
The paths they are talking about are the paths on Andrei's local development machine that appear in stack trace errors.
(example: https://tinyurl.com/y3sudazz)

I am requesting an exception for it, but I'd like to suggest that you guys find a way to suppress the local paths in errors, or very many other nop users will experience the same thing.

Thanks!
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
0
3 years ago
Adjust your web.config file.  Detailed error messages (that include file paths) would not show on an out-of-the box install.
www.noptools.com
1
3 years ago
Right..I get that, but sometimes I have to enable detailed errors, and if it coincides with a PCI scan, they fail me...
Maybe setting to "RemoteOnly" instead of "On" is the correct solution?
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
0
3 years ago
I would also discourage displaying detailed errors in a production site, but you can remove the PDB files which store the file paths:
https://stackoverflow.com/questions/12281962/why-does-the-stack-trace-shows-my-development-files-path

This will make the stack trace less useful, so instead of displaying detailed errors you could enable logging which will record exceptions and the stack trace.

If you're hosting with IIS and have access, there is a setting for "Detailed errors for local requests and custom errors for remote" so only you would see them while on the server.
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.