Error pages generated by back-end applications may leak internal information about a system's setup and configuration (e.g. platform, system paths, stack traces, or deployed frameworks). Such information is valuable for potential attackers. To prevent information leakage, Airlock Microgateway supports the replacement of error pages generated by back-ends.
Depending on the HTTP status code of a back-end response, predefined error pages can be delivered to the client. If error_page_replacements is not configured, no pages are replaced.
By default, the following error pages can be used for an error page replacement:
400.html 401.html 403.html 404.html 500.html 502.html 503.html maintenance.html
By default error page replacement is disabled. The DSL example illustrates how to enable it.
DSL example
The error page replacement can be configured with the following DSL example:
apps:
- mappings:
- name: test
...
response:
error_page_replacements:
- status_code:
pattern: ^401$
page: 401.html
- status_code:
pattern: ^403$
page: 403.html
- status_code:
pattern: ^404$
page: 404.html
- status_code:
pattern: ^4(?!01|03|04)..$
page: 400.html
- status_code:
pattern: ^502$
page: 502.html
- status_code:
pattern: ^503$
page: 503.html
- status_code:
pattern: ^5(?!02|03)..$
page: 500.htmlReplacement using custom error pages
If custom error pages should be used for the replacement, configure them as described in Custom error pages.