Okay, I'm some days late and the perhaps my question have been asked before and have a complete answer somewhere, but I know I'm not the only one in need of some clarification.

If I want to show a custom, nice error page it seems to be enough just to do two things:

1. Make the custom errors redirect to it like this (in web.config):

<customErrors mode="On" defaultRedirect="~/my-error-page" />

2. Delete/rename the /config/404handlers.config file so no special handling of 404-errors happens.

Reading the ScottGu blog posts about the Vulnerability I do think this should be enough.

"Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page.  There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section.  This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure."

A further recommendation is to add a delay. But that might just be added to our umbraco page with a simple macro also afaiu.

"We recommend adding the below code [ random sleep delay ] to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors."

So - what is the the official Umbraco patch doing other than printing an error text? Is it doing this delay thing, or something else that we might need if we dont use the official patch?

Thank you