Resources | Security | 404 Error

Custom 404/Page Not Found Errors:

To read updated information on this tutorial, including how to handle other errors besides 404, please read this thread from our message boards

When a visitor mistypes the name of one of your pages, or if they try to connect to a page that is no longer on your server, they will get a page that shows the generic HTTP 1.1 Error Messages. There are two reasons why you would want to customize the 404 Error Page: security and aesthetic reasons.

First, the generic 404 Error Page reveals information about your web site's server. This information may seem trivial, but in fact it is often the first step that a hacker will take if they are trying to infiltrate your server. By customizing your 404 page, you can take out any information that relates to your server.

Second, the generic 404 Error Page is an ugly page to look at. It is black and white, with a large ERROR message. Chances are, it doesn't match the look and feel of your own website. When you customize your 404 page, you can link to your stylesheet and including your logo and a link to your homepage, so that a visitor will understand that they are still viewing a page on your site.

Your first step is to write out an .html or .asp page that will present your custom error message. For this example, we'll call ours "404redirect.html".

Now, to load your 404 page, you need to know what type of server your web site is being hosted on (a Unix / *nix server, or a Windows / IIS server).

Go to the Windows/IIS Section

For Unix Servers:

First, lets look at how to do this for a Unix Server. Check the root directory (www, where your index.html file is located) for your website, and see if there is a file called ".htaccess." The file name starts with a period (.) and has no file extension. If the file is there, you need to add the following line to it (if it isn't there, open up a text editor, add the following line, and save the file as ".htaccess"):

Most text editors will require you to put the file name in quotations when you save it (using the "SAVE AS" window in most editors). Remember, there is no file extension, so make sure that the "Save As Type" is set to "All Files *.*".

All references made in your 404redirect.html and .htaccess files must be full absolute paths. (ex: "http://www.your_site_name.com/index.html")

For Windows IIS Servers:

For a Windows Server, you need to open up your IIS Internet Service Manager. You can set your custom errors in one of two ways: as a url, or as a file. It is easier to set it as a file. If you select URL as your option, you will have to handle the HTTP error codes in an ASP or ISAPI application (the error code will be passed in to your asp file as part of the url). If you choose FILE, you can just set up a static HTML file.

Here are the steps you should take:
  • Create a file that contains your custom error message and place it in a virtual directory.
  • In Internet Service Manger, select the Web site, virtual directory, directory, or file in which you would like to customize HTTP errors and click the Properties button.
  • Select the Custom Errors property sheet.
  • Select the default HTTP error that you would like to change.
  • Click the Edit Properties button.
  • Select FILE from the Message Type box
  • Select the FILE that points to your customized error message.
  • Click OK.
The following is a list of the Error Types that can be customized in IIS:
  • 400: Bad Request
  • 401: Unauthorized
    • 1- Logon failed
    • 2- Logon failed due to server configuration
    • 3- Unauthorized due to ACL on resource
    • 4- Authorization failed by filter
    • 5- Authorization failed by ISAPI/CGI application
  • 403: Forbidden
    • 1- Execute access forbidden
    • 2- Read access forbidden
    • 3- Write access forbidden
    • 4- SSL required
    • 5- SSL128 required
    • 6- IP address rejected
    • 7- Client certificate required
    • 8- Site access denied
    • 9- Too many users
    • 10 - Invalid configuration
    • 11 - Password Change
    • 12 - Mapper Denied Access
  • 404: Not Found
  • 405: Method Not Allowed
  • 406: Not Acceptable
  • 407: Proxy Authentication Required
  • 412: Precondition Failed
  • 414: Request-URL Too Long
  • 415: Unsupported Media Type
  • 500: Internal Server Error
  • 501: Not Implemented
  • 502: Bad Gateway

IIS comes with its own set of default Error Messages (for each error, there is an associated file in the directory: WINNT\Help\common). If you don't want to set up a page to handle any HTTP errors, you have the option of changing the default IIS messages. Here's how:
  • In Internet Service Manger, select the Web site, virtual directory, directory, or file in which you would like to customize HTTP errors and click the Properties button.
  • Select the Custom Errors property sheet. Select the default HTTP error that you would like to change.
  • Click the Edit Properties button.
  • Select URL from the Message Type box.
  • Type /iisHelp/common/filename where "filename" is the HTML file name of the friendly error message.


Want to discuss this article, or other development issues? Visit our message boards!

Or contact us directly with a comment or question on this article: click here !
armbrustconsulting.com