Hi I have two questions1. In Scott Gu's post he writes "It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the "defaultRedirect" attribute on the <customErrors> section and ensure that no per-status codes are set."How should we configure our error handling for per-status codes? We must be able to return a 404 status code.I'm confused in the Advisory they write that sensible encrypted data in the ViewState could be decrypted. Is it just the data IN the ViewState or could they use any ViewState (that's by default encrypted) and then get into the web.config files?
View Complete Post