Enable Custom ErrorsSetting customErrors to On will keep exception details from user, but shows the YSOD which is a 500. Hackers look for pages with 500 error codes as potential targets.
Add a user friendly error page
The downside of this is that pattern of the url still indicates that there was an internal server error. Again, highlights a potential target for hackers
<customErrors mode="On" defaultRedirect="Error.aspx">
Get rid of the error page pattern in url
The response is returning a 200 which looks like a successful page. There is no 302 redirect to detect the error either. The only way to tell there is an error is to read the message on the page and can't be determined by a pattern or status code.<configuration>
<customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="Rewrite">