From c9612466ee96c059121c495a7e7079b9144820e0 Mon Sep 17 00:00:00 2001 From: Zac Spitzer Date: Sat, 7 Sep 2024 17:51:11 +0200 Subject: [PATCH] production error templates --- .../02.lockdown-guide/page.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md b/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md index 811d4d6e8..71e23e023 100644 --- a/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md +++ b/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md @@ -9,6 +9,20 @@ A guide to limit access to a Lucee server to necessary minimum. On Windows it is recommended to run the Lucee/Tomcat service as a restricted user with only the required permissions rather than under SYSTEM account. +## Production Error Templates ## + +By default, Lucee ships with developer friendly error templates which reveal the Lucee version and displays stacktraces, including paths. + +Production servers, should be configured to use the `error-public.cfm` templates, for both Error and Missing templates, which only display a generic error message. +This can be configured via the Lucee Administrator, under Settings -- Error, which produces the following `.CFconfig.json` config. You can also use your own custom templates. + +``` +{ + "errorGeneralTemplate": "/lucee/templates/error/error-public.cfm", + "errorMissingTemplate": "/lucee/templates/error/error-public.cfm" +} +``` + ### Don't forget to lockdown your source control metadata ### If you have .git folders (or .svn etc) make sure you restrict access to them (i.e for Apache)