Lucee Lock down: Server is returning exception-message header


I’ve been using Foundeo’s excellent HackMyCF scanning tool since the Railo days and I have never been able to “fix” the error

Server is returning exception-message header

The default error handler for Railo or Lucee will return a HTTP response header called exception-message with the exception error message. This header may contain information that should not be disclosed to the public such as file system paths or other information that should not be disclosed. Railo partially fixes this by default. Configure your web server to remove or overwrite this header.
More Information:

I know there was some work on this as noted in the jira link but it doesn’t seem to have progressed in Lucee (?)

Is there anything planned for this or does anyone have a workaround? Does v5 address this?

Running IIS 8.5 2012R2 TC8.5.23


Jay - thanks for bringing this up - it would be great to have the header disabled by default for remote method calls in Lucee. You probably should file a new bug (and post it here) if one does not already exist.

You might be able to have IIS strip out the header value using something like this:

                <rule name="RemoveExceptionMessage">
                    <match serverVariable="RESPONSE_exception-message" pattern="^(.*)$" />
                    <action type="Rewrite" value="" />

Pete Freitag
Foundeo / HackMyCF


Thanks Pete. (and thanks for HMCF :slight_smile: )


I’ll give the rewrite a try and report back.


That rewrite rule did the trick :+1:


Hey Pete, Pothys is asking for more details in the bug report. Do you think you could pop in and explain exactly what’s triggering the warning in HMCF.


Yup, I have added comment to the ticket.


Just noticed Lucee exposes the path in the error message for argument validation

invalid call of the function exposePath (ram:///main1507860812701-dc89ba6a-2655-24be-a16f-b9e23c7c528a.cfm-1F9873BB-0C7F-4955-80E1E55B0DB19474.cfm), first Argument (id) is of invalid type, can't cast String [1,2] to a value of type [numeric] on line 6