Response status code block information
Was wondering how someone has handled keeping disallowed http response status codes away from hacker eyes yet allowed internal support to know what it was at a glance?
We use the rapid deployment template defaults which block "Illegal HTTP status code in response" and the default six Allowed Status Response Codes in our policies. While this is good security practice because it hides server errors from hackers trying to do recon on a site, this causes the ASM team many support calls because of the generic block response page when it's really a problem with the application and should be directed to the application team.
One possible solution we thought might be helpful would be to have a response page that included information not decipherable by a hacker, but that the app team would know it was a server error. Even better if they knew which status code was returned. We don't know if that kind of logic is allowed in the block response page or how to create such logic, if it is. Or, can this sort of thing only be accomplished with an iRule?
Thanks,
Chris