A common way malicious hackers try to obtain information about how your website works is to generate errors and see what is displayed. It is particularly important to stop these giving away information that might help someone break into your web site, but equally you should make sure these pages are not advertising someone else's products and services.
When a web site is developed and then set up on the web server(s), it is possible to define customised error pages for all sorts of unusual events like application errors, internal server errors and, the one most people will recognise, not found. The latter is sent back when a page or other file's address is requested but does not exist. The web server sends a response status code of 404 which means "not found" and the text from whichever document has been set for this. By default many sites will return text which gives away the operating system and web server software:
But some hosting companies rather naughtily hope to gain revenue from people typing the wrong address, following an old link or clicking a dead link on another page. Instead of showing a page from your own web site, or the default web server message, they display an advert for themselves and/or adverts for other web sites. These may neither be what you expect, nor want to be associated with. Here is one from a UK limited company's web site:
Check you own web site by typing an address like:
http://[your host name]/123456doesnotexist
or something similar. Hopefully, you will see a page in the style of your own web site with an apologetic message, and not anything else. If not, speak to your developers (or hosting company) and ask them to "add custom error pages for all possible web server errors" and make sure they are your own design. Also ask them to "ensure errors return the correct HTTP response status codes" - this is especially important for correct indexing by search engines.
Here's an example showing how to do it correctly from the British Library:
If you have more than one domain, host name, or also have an HTTPS address, check them all separately. This advertising could also exist on domains you have purchased, but are not currently using for a site.
Posted on: 19 September 2008 at 09:51 hrs