Applications and services are configured to not display information that is unnecessary.
Functionality is designed and configured to prevent enumeration of information.
Specification
Information that should not be enumerable are: user names, email-addresses, files, versioning information, server configuration and structure, endpoints and so forth.
Error messages and headers should be compact and not contain any technical information about the environment (such as stack traces, debugging output, etc).
Comments in code should not be accessible by end users.
Make sure files are not directly accessible if they are not supposed to - either by hand or through tools such as URL fuzzers (https://github.com/xmendez/wfuzz).
ISO 27001 & 27002:2022
8.1,
A5.8,
A8.25,
A8.26,
A8.27,
A8.28,
A8.29,
A8.31,
A8.30,
A8.32,
A5.36,
A5.37
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.01 Security Baselines
SD.01 Methodology for secure development and implementation of software