2

I have a self-hosted WCF service that exposes only one WebInvoked operation with address and parameters as such:

www.myserver.com/myservice/SayHello?LuckeyNumber=3  (where LuckeyNumber : int)

Now, when someone is trying to access this address but with LuckeyNumber=EvilInput I get a WCF error page that I would like to replace with a page (Similar to the Twitter Fail Whale).

  1. How to replace this page?
  2. Can I replace the page also for 404s, 405s and etc?

Thanks!

Felix
  • 1,034
  • 1
  • 9
  • 29
  • Could be related to this SO question: http://stackoverflow.com/questions/10600874/customize-wcf-rest-error-responses – Felix Nov 24 '14 at 15:25
  • Why does a service need to return a human readable error page? Don't you need to just return a fault or a 500 error? – Remotec Dec 05 '14 at 08:44
  • @RemotecUk: 1. For most part, we don't. We have an endpoint that returns HTML, and we wanted that to have a custom error page. 2. Most of our services are JSON, and the faults are serialized as SOAP-Faults. 3. Out-of-the-box, WCF returns an HTML human readable response that we wanted to control. – Felix Dec 07 '14 at 17:17
  • If you are self hosting how do you get a WCF error page? Surely you just get an exception in the response? – Remotec Dec 10 '14 at 13:54
  • @RemotecUk: The exception is shown on a nice (semi-)human-readable page, as can be seen [Here](http://i.imgur.com/Rx4Ji7E.png). – Felix Dec 10 '14 at 14:48
  • (sorry for the broken link) As can be seen [here](http://i.imgur.com/7cI4r3S.png). – Felix Dec 10 '14 at 14:56

1 Answers1

0

For self-hosted WCF, if you hosting REST services you can add WebHttpBehavior to get a HELP page, but you surely can send Fault Exception details (not the entire html page) in the response of your service.

The application consuming these services should take care of displaying the fault details in a fancy error page.

You should always leave that decision on the consumer (not at service layer) to mask this data and display/log it as they need it.

GeekzSG
  • 943
  • 1
  • 11
  • 28
  • 1
    Leaving the decision to the consumer is not an option, as this was detected during penetration testing, and the server had 2 things we could not bare: (1) the server included a stack trace in the fault exception, allowing an attacker to reverse engineer some of our server's structure, and (2) returned the string `EvilInput`. If the string would be `` it would have been executed (a la XSS). – Felix Feb 05 '15 at 15:46