Be cautious with how much information you display in your error messages. For example, if you have a login form on your website, you should be mindful in the language you use to communicate failure when attempting logins. You should use generic messages like "Incorrect username or password" so as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password, and the error message gives away when one of the fields are correct, then the attacker knows he has one of the fields, and can concentrate on the other field.
Last Revised: 2015-08-29 23:41:25