Newer
Older
labs / tiddlers / content / labs / lab11 / _Labs_11_Generic 500 Error Page.md

When an unhandled exception occurs on the server, Jooby sends the error message to the client. You can see this yourself:

  1. Start your server, but don't start H2.

  2. Open the sign in page.

  3. Open the browser's dev tools, and switch to the <

    > tab.

  4. Try to sign in. Wait for the 500 response (it will take a few seconds since the server will need to wait for the database connection to time out).

  5. Select the request in the Network tab of the browser dev tools and look in the <

    > tab. You will see something like:

    Server Error


    message: org.h2.jdbc.JdbcSQLNonTransientConnectionException: Connection is broken: "java.net.ConnectException: Connection refused (Connection refused): localhost" [90067-200]

    status code: 500

    As you can see, there is some useful information in here for malicious users:

    • They can see that the service is using H2.

    • They can see that the database is running on the same server as the service (localhost).

      This might be enough information for them to find the H2 database file if they can find a path traversal or command injection flaw to exploit. We will encrypt the database in the next lab so they still have a lot of work to do even if they do manage to get hold of the file.


We should create a generic error page for the 500 / Server Error status which is the response that is used when the server has an unhandled exception.

  1. Create an HTML file in your <> folder named 500.

  2. Add a hard-coded message in the file that states that the server had a problem. The message should be very generic, and not give away any information that might be useful to malicious users.

  3. Add the following to the Server class constructor:

     error(StatusCode.SERVER_ERROR, (ctx, cause, code) -> {
         ctx.getRouter().getLog().error(cause.getMessage(), cause);
         ctx.send(Paths.get("static/500.html"));
     });

    This will cause your 500 page to be sent to the client any time a 500 error occurs (such as when the server has an unhandled exception). This code is overriding the default error handler for Jooby, so we also need to log the error since Jooby isn't doing it for us anymore --- you never want to be in a situation where you have silent errors (where things are crashing, but you are not seeing any details of the problem in your logs).

  4. Restart your server and repeat the sign in again. You should see your error page in the preview tab rather than the Jooby one.


You can use this process to replace any error page. The 404 / Not Found page is one that a lot of web sites replace with something that fits into their style since it is quite a common error.