This is driven by ASP.NET giving up too much information in error codes.
The big takeaway:
Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the “defaultRedirect” attribute on the
Here's the Scott Gu post
Get busy out there.