Skip to content

What should not be shown to end-user?

I.      Error codes like 1693783, 29298891 etc.

II.      System generated error messages

III.      Code snippet in the error message

IV.      Control Panel information

V.      Apache / HTTP / PHP etc. version information

VI.      4x / 5x errors – These have to be customized

VII.      Privacy – shouldn’t reveal other members private information

VIII.      Error messages like “Invalid error”, “Error” which do not help end-user

IX.      Directory listing – What if some confidential information is there but it is not hyperlinked but still can be viewed through directory listing if it’s enabled which is a problem

X.      Flat file consisting of e-mails or passwords in search engine [robots.txt – to allow/disallow search engine indexing]

XI.      Plain password stored in temp files


I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)



  1. Sometimes for Product Support teams to understand the error and work on prevention or RCA, we might need to send the error number along with a meaningful message asking the user to give the error number when he’s contacting helpdesk.

    Randomly thinking on adding a few items in addition to the above,

    1) SQL server related error messages which reveal table structure
    2) Information revealing next generation projects that you don’t want your competitor companies to be aware of (sometimes error messages reveal this info)
    3) .INC files. In ASP days, IIS did not protect .INC files the same way .ASP files were protected. Such files left on the server gave away DB information.
    4) Server side code – IIS the culprit again. IIS used to show server side code with an invalid URL, few yrs back.

    Friday, September 24, 2010 at 3:29 am | Permalink
  2. @Fake Software Tester, Thanks for adding information.

    Friday, September 24, 2010 at 12:05 pm | Permalink

One Trackback/Pingback

  1. […] This post was mentioned on Twitter by Santhosh Tuppad, Nubia Souza. Nubia Souza said: RT @santhoshst: What should be not shown to an end-user? #softwaretesting […]

Post a Comment

Your email is never published nor shared. Required fields are marked *