Section
7.1.2
Top Level
Sub Level
General
The application should not reveal information that would assist attackers through error messages. For example, the application should not indicate whether the username or password failed in an authentication attempt as this would allow an attacker to scan for valid usernames.
Natural Webagent
Don't put personal or sensitive data in error messages. A major breach of SSNs was caused this way. Error messages should be helpful without revealing stored data, or clues to stored data.