Rule ID
SV-237381r643693_rule
Version
V1R3
CCIs
CCI-001312
Providing too much information in error messages risks compromising the data and security of the application and system. Organizations must carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access-control lists. The CA API Gateway must include within the Registered Services Policies customized error responses revealing only the necessary information as required by the organization.
Open the CA API Gateway - Policy Manager and double-click all Registered Services that require a customized error response, revealing only the necessary information about an error. Verify the "Customize Error Response" Assertion is included in the policy and placed in accordance with organizational requirements. If it is not, this is a finding.
Open the CA API Gateway - Policy Manager and double-click each of the Registered Services that require a customized error response and did not include a "Customize Error Response" Assertion. Add the "Customize Error Response" Assertion to the policy, placing and configuring it in accordance with organizational requirements.