diff --git a/server/handlers.go b/server/handlers.go
index 28086b13d1e493503e71ed889d388db450ee267d..832c262b0eb0727525edda10af6aaad72750d5b3 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -42,7 +42,7 @@ func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
 	t := s.now().Sub(start)
 	if err != nil {
 		s.logger.Errorf("Storage health check failed: %v", err)
-		http.Error(w, "Health check failed", http.StatusInternalServerError)
+		s.renderError(w, http.StatusInternalServerError, "Health check failed.")
 		return
 	}
 	fmt.Fprintf(w, "Health check passed in %s", t)
@@ -53,13 +53,13 @@ func (s *Server) handlePublicKeys(w http.ResponseWriter, r *http.Request) {
 	keys, err := s.storage.GetKeys()
 	if err != nil {
 		s.logger.Errorf("failed to get keys: %v", err)
-		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		s.renderError(w, http.StatusInternalServerError, "Internal server error.")
 		return
 	}
 
 	if keys.SigningKeyPub == nil {
 		s.logger.Errorf("No public keys found.")
-		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		s.renderError(w, http.StatusInternalServerError, "Internal server error.")
 		return
 	}
 
@@ -74,7 +74,7 @@ func (s *Server) handlePublicKeys(w http.ResponseWriter, r *http.Request) {
 	data, err := json.MarshalIndent(jwks, "", "  ")
 	if err != nil {
 		s.logger.Errorf("failed to marshal discovery data: %v", err)
-		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		s.renderError(w, http.StatusInternalServerError, "Internal server error.")
 		return
 	}
 	maxAge := keys.NextRotation.Sub(s.now())
@@ -138,13 +138,14 @@ func (s *Server) discoveryHandler() (http.HandlerFunc, error) {
 func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 	authReq, err := s.parseAuthorizationRequest(s.supportedResponseTypes, r)
 	if err != nil {
-		s.renderError(w, http.StatusInternalServerError, err.Type, err.Description)
+		s.logger.Errorf("Failed to parse authorization request: %v", err)
+		s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")
 		return
 	}
 	authReq.Expiry = s.now().Add(time.Minute * 30)
 	if err := s.storage.CreateAuthRequest(authReq); err != nil {
 		s.logger.Errorf("Failed to create authorization request: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")
 		return
 	}
 	if len(s.connectors) == 1 {
@@ -174,7 +175,8 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 	connID := mux.Vars(r)["connector"]
 	conn, ok := s.connectors[connID]
 	if !ok {
-		s.notFound(w, r)
+		s.logger.Errorf("Failed to create authorization request.")
+		s.renderError(w, http.StatusBadRequest, "Requested resource does not exist.")
 		return
 	}
 
@@ -183,7 +185,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 	authReq, err := s.storage.GetAuthRequest(authReqID)
 	if err != nil {
 		s.logger.Errorf("Failed to get auth request: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "Connector Login Error")
+		s.renderError(w, http.StatusInternalServerError, "Database error.")
 		return
 	}
 	scopes := parseScopes(authReq.Scopes)
@@ -197,7 +199,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 		}
 		if err := s.storage.UpdateAuthRequest(authReqID, updater); err != nil {
 			s.logger.Errorf("Failed to set connector ID on auth request: %v", err)
-			s.renderError(w, http.StatusInternalServerError, errServerError, "Connector Login Error")
+			s.renderError(w, http.StatusInternalServerError, "Database error.")
 			return
 		}
 
@@ -209,7 +211,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 			callbackURL, err := conn.LoginURL(scopes, s.absURL("/callback"), authReqID)
 			if err != nil {
 				s.logger.Errorf("Connector %q returned error when creating callback: %v", connID, err)
-				s.renderError(w, http.StatusInternalServerError, errServerError, "Connector Login Error")
+				s.renderError(w, http.StatusInternalServerError, "Login error.")
 				return
 			}
 			http.Redirect(w, r, callbackURL, http.StatusFound)
@@ -218,12 +220,12 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 				s.logger.Errorf("Server template error: %v", err)
 			}
 		default:
-			s.notFound(w, r)
+			s.renderError(w, http.StatusBadRequest, "Requested resource does not exist.")
 		}
 	case "POST":
 		passwordConnector, ok := conn.Connector.(connector.PasswordConnector)
 		if !ok {
-			s.notFound(w, r)
+			s.renderError(w, http.StatusBadRequest, "Requested resource does not exist.")
 			return
 		}
 
@@ -233,7 +235,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 		identity, ok, err := passwordConnector.Login(r.Context(), scopes, username, password)
 		if err != nil {
 			s.logger.Errorf("Failed to login user: %v", err)
-			s.renderError(w, http.StatusInternalServerError, errServerError, "Connector Login Error")
+			s.renderError(w, http.StatusInternalServerError, "Login error.")
 			return
 		}
 		if !ok {
@@ -245,13 +247,13 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 		redirectURL, err := s.finalizeLogin(identity, authReq, conn.Connector)
 		if err != nil {
 			s.logger.Errorf("Failed to finalize login: %v", err)
-			s.renderError(w, http.StatusInternalServerError, errServerError, "Connector Login Error")
+			s.renderError(w, http.StatusInternalServerError, "Login error.")
 			return
 		}
 
 		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	default:
-		s.notFound(w, r)
+		s.renderError(w, http.StatusBadRequest, "Unsupported request method.")
 	}
 }
 
@@ -265,43 +267,44 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
 	//   Section: "3.4.3 RelayState"
 	state := r.URL.Query().Get("state")
 	if state == "" {
-		s.renderError(w, http.StatusBadRequest, errInvalidRequest, "No 'state' parameter provided.")
+		s.renderError(w, http.StatusBadRequest, "User session error.")
 		return
 	}
 
 	authReq, err := s.storage.GetAuthRequest(state)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			s.renderError(w, http.StatusBadRequest, errInvalidRequest, "Invalid 'state' parameter provided.")
+			s.logger.Errorf("Invalid 'state' parameter provided: %v", err)
+			s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
 			return
 		}
 		s.logger.Errorf("Failed to get auth request: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Database error.")
 		return
 	}
 
 	conn, ok := s.connectors[authReq.ConnectorID]
 	if !ok {
-		s.notFound(w, r)
+		s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
 		return
 	}
 	callbackConnector, ok := conn.Connector.(connector.CallbackConnector)
 	if !ok {
-		s.notFound(w, r)
+		s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
 		return
 	}
 
 	identity, err := callbackConnector.HandleCallback(parseScopes(authReq.Scopes), r)
 	if err != nil {
 		s.logger.Errorf("Failed to authenticate: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Failed to return user's identity.")
 		return
 	}
 
 	redirectURL, err := s.finalizeLogin(identity, authReq, conn.Connector)
 	if err != nil {
 		s.logger.Errorf("Failed to finalize login: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Login error.")
 		return
 	}
 
@@ -333,12 +336,12 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 	authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
 	if err != nil {
 		s.logger.Errorf("Failed to get auth request: %v", err)
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Database error.")
 		return
 	}
 	if !authReq.LoggedIn {
 		s.logger.Errorf("Auth request does not have an identity for approval")
-		s.renderError(w, http.StatusInternalServerError, errServerError, "")
+		s.renderError(w, http.StatusInternalServerError, "Login process not yet finalized.")
 		return
 	}
 
@@ -351,7 +354,7 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 		client, err := s.storage.GetClient(authReq.ClientID)
 		if err != nil {
 			s.logger.Errorf("Failed to get client %q: %v", authReq.ClientID, err)
-			s.renderError(w, http.StatusInternalServerError, errServerError, "")
+			s.renderError(w, http.StatusInternalServerError, "Failed to retrieve client.")
 			return
 		}
 		if err := s.templates.approval(w, authReq.ID, authReq.Claims.Username, client.Name, authReq.Scopes); err != nil {
@@ -359,7 +362,7 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 		}
 	case "POST":
 		if r.FormValue("approval") != "approve" {
-			s.renderError(w, http.StatusInternalServerError, "approval rejected", "")
+			s.renderError(w, http.StatusInternalServerError, "Approval rejected.")
 			return
 		}
 		s.sendCodeResponse(w, r, authReq)
@@ -368,22 +371,22 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 
 func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authReq storage.AuthRequest) {
 	if s.now().After(authReq.Expiry) {
-		s.renderError(w, http.StatusBadRequest, errInvalidRequest, "Authorization request period has expired.")
+		s.renderError(w, http.StatusBadRequest, "User session has expired.")
 		return
 	}
 
 	if err := s.storage.DeleteAuthRequest(authReq.ID); err != nil {
 		if err != storage.ErrNotFound {
 			s.logger.Errorf("Failed to delete authorization request: %v", err)
-			s.renderError(w, http.StatusInternalServerError, errServerError, "")
+			s.renderError(w, http.StatusInternalServerError, "Internal server error.")
 		} else {
-			s.renderError(w, http.StatusBadRequest, errInvalidRequest, "Authorization request has already been completed.")
+			s.renderError(w, http.StatusBadRequest, "User session error.")
 		}
 		return
 	}
 	u, err := url.Parse(authReq.RedirectURI)
 	if err != nil {
-		s.renderError(w, http.StatusInternalServerError, errServerError, "Invalid redirect URI.")
+		s.renderError(w, http.StatusInternalServerError, "Invalid redirect URI.")
 		return
 	}
 	q := u.Query()
@@ -404,7 +407,7 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
 			}
 			if err := s.storage.CreateAuthCode(code); err != nil {
 				s.logger.Errorf("Failed to create auth code: %v", err)
-				s.renderError(w, http.StatusInternalServerError, errServerError, "")
+				s.renderError(w, http.StatusInternalServerError, "Internal server error.")
 				return
 			}
 
@@ -683,12 +686,10 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, idToken, refreshToken s
 	w.Write(data)
 }
 
-func (s *Server) renderError(w http.ResponseWriter, status int, err, description string) {
-	http.Error(w, fmt.Sprintf("%s: %s", err, description), status)
-}
-
-func (s *Server) notFound(w http.ResponseWriter, r *http.Request) {
-	http.NotFound(w, r)
+func (s *Server) renderError(w http.ResponseWriter, status int, description string) {
+	if err := s.templates.err(w, http.StatusText(status), description); err != nil {
+		s.logger.Errorf("Server template error: %v", err)
+	}
 }
 
 func (s *Server) tokenErrHelper(w http.ResponseWriter, typ string, description string, statusCode int) {
diff --git a/server/server.go b/server/server.go
index ce31f7d81fafa674814d8516993e25bb67c585f5..0c292d13e93f2cd4a9a15f07bfdf246deadeace2 100644
--- a/server/server.go
+++ b/server/server.go
@@ -201,7 +201,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		prefix := path.Join(issuerURL.Path, p)
 		r.PathPrefix(prefix).Handler(http.StripPrefix(prefix, h))
 	}
-	r.NotFoundHandler = http.HandlerFunc(s.notFound)
+	r.NotFoundHandler = http.HandlerFunc(http.NotFound)
 
 	discoveryHandler, err := s.discoveryHandler()
 	if err != nil {
diff --git a/server/templates.go b/server/templates.go
index 03d1f280eede32f06c57feb17638e669ef5dd47f..6e1f1c8d6c3b1e1a2e2e03b7c86cf1db8a95ee2c 100644
--- a/server/templates.go
+++ b/server/templates.go
@@ -17,6 +17,7 @@ const (
 	tmplLogin    = "login.html"
 	tmplPassword = "password.html"
 	tmplOOB      = "oob.html"
+	tmplError    = "error.html"
 )
 
 var requiredTmpls = []string{
@@ -24,6 +25,7 @@ var requiredTmpls = []string{
 	tmplLogin,
 	tmplPassword,
 	tmplOOB,
+	tmplError,
 }
 
 type templates struct {
@@ -31,6 +33,7 @@ type templates struct {
 	approvalTmpl *template.Template
 	passwordTmpl *template.Template
 	oobTmpl      *template.Template
+	errorTmpl    *template.Template
 }
 
 type webConfig struct {
@@ -156,6 +159,7 @@ func loadTemplates(c webConfig, templatesDir string) (*templates, error) {
 		approvalTmpl: tmpls.Lookup(tmplApproval),
 		passwordTmpl: tmpls.Lookup(tmplPassword),
 		oobTmpl:      tmpls.Lookup(tmplOOB),
+		errorTmpl:    tmpls.Lookup(tmplError),
 	}, nil
 }
 
@@ -222,6 +226,14 @@ func (t *templates) oob(w http.ResponseWriter, code string) error {
 	return renderTemplate(w, t.oobTmpl, data)
 }
 
+func (t *templates) err(w http.ResponseWriter, errType string, errMsg string) error {
+	data := struct {
+		ErrType string
+		ErrMsg  string
+	}{errType, errMsg}
+	return renderTemplate(w, t.errorTmpl, data)
+}
+
 // small io.Writer utility to determine if executing the template wrote to the underlying response writer.
 type writeRecorder struct {
 	wrote bool
diff --git a/web/templates/error.html b/web/templates/error.html
new file mode 100644
index 0000000000000000000000000000000000000000..418f76fbd32ea5aac6f3699af1d038444ce04151
--- /dev/null
+++ b/web/templates/error.html
@@ -0,0 +1,8 @@
+{{ template "header.html" . }}
+
+<div class="theme-panel">
+  <h2 class="theme-heading">{{ .ErrType }}</h2>
+  <p>{{ .ErrMsg }}</p>
+</div>
+
+{{ template "footer.html" . }}