From c2be75c52fd980fdc5ab4ec3fea96c4cf404c9b4 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Thu, 23 Apr 2026 23:24:08 -0700 Subject: [PATCH] fix(apps): internal error details and stack traces are return The global problem handler serializes 5xx errors with `includeStack: true` and `includeCause: true`, then returns them in JSON responses. This can expose internal implementation details (stack traces, dependency paths, error causes), which helps attackers with reconnaissance and exploit development. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/apps/api/middlewares/problem.middleware.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/apps/api/middlewares/problem.middleware.ts b/src/apps/api/middlewares/problem.middleware.ts index 044297637..da5f1d889 100644 --- a/src/apps/api/middlewares/problem.middleware.ts +++ b/src/apps/api/middlewares/problem.middleware.ts @@ -26,9 +26,10 @@ export function problemMiddleware( ); const isError = status >= 500; + const isDevelopment = process.env.NODE_ENV === 'development'; const problem = error.toObject({ - includeStack: isError, - includeCause: isError, + includeStack: isError && isDevelopment, + includeCause: isError && isDevelopment, }); res.status(status).json(problem); } catch (err: unknown) {