19 September 2008

Someone Could Be Advertising on Your Web Site

A common way malicious hackers try to obtain information about how your website works is to generate errors and see what is displayed. It is particularly important to stop these giving away information that might help someone break into your web site, but equally you should make sure these pages are not advertising someone else's products and services.

When a web site is developed and then set up on the web server(s), it is possible to define customised error pages for all sorts of unusual events like application errors, internal server errors and, the one most people will recognise, not found. The latter is sent back when a page or other file's address is requested but does not exist. The web server sends a response status code of 404 which means "not found" and the text from whichever document has been set for this. By default many sites will return text which gives away the operating system and web server software:

Default missing page error for typical Microsoft web servers - the address has been blanked out

But some hosting companies rather naughtily hope to gain revenue from people typing the wrong address, following an old link or clicking a dead link on another page. Instead of showing a page from your own web site, or the default web server message, they display an advert for themselves and/or adverts for other web sites. These may neither be what you expect, nor want to be associated with. Here is one from a UK limited company's web site:

Missing page error on a company's web site displaying adverts for other products - the address and advert URLs have been blanked out

Check you own web site by typing an address like:

http://[your host name]/123456doesnotexist

or something similar. Hopefully, you will see a page in the style of your own web site with an apologetic message, and not anything else. If not, speak to your developers (or hosting company) and ask them to "add custom error pages for all possible web server errors" and make sure they are your own design. Also ask them to "ensure errors return the correct HTTP response status codes" - this is especially important for correct indexing by search engines.

Here's an example showing how to do it correctly from the British Library:

Custom error for missing page on the British Library web site that includes a clear message, an explanation, a link to the search, links to main sections and a link to contact details

If you have more than one domain, host name, or also have an HTTPS address, check them all separately. This advertising could also exist on domains you have purchased, but are not currently using for a site.

Posted on: 19 September 2008 at 09:51 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Someone Could Be Advertising on Your Web Site
http://www.clerkendweller.com/2008/9/19/Someone-Could-Be-Advertising-on-Your-Web-Site
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2008/9/19/Someone-Could-Be-Advertising-on-Your-Web-Site
Requested by 54.243.23.129 on Thursday, 17 April 2014 at 16:26 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com