Forum Discussion
I'm sorry to revive this old thread but the issue is being revisited by our team right now.
Of course leaking sensitive details is a big problem and must be avoided, but that doesn't mean that http status code 5xx are leaking such details.
Applications should be programmed and/or configured to catch unexpected errors and transform them to 5xx responses with some opaque content allowing to refer to the issue in some way so the event can be related to appropriate log entries to be diagnosed and fixed.
But the 5xx status code should reach the client so it can act accordingly.
Otherwise the client is tricked receiving a 200 response with a completely unexpected content which causes lots of headaches.
sounds like a fair argument, but in the end it will differ per application and rules within a company. F5 ASM chooses to block them with a default profile, but you can change it if you want.