HIGHQualitysmallError Handling

Don't expose internal errors or stack traces to users

Return a generic, safe message to clients while logging full details server-side. Leaking stack traces, SQL, or file paths aids attackers and confuses users.

Why This Matters

Exposed stack traces and raw error messages leak implementation details, file paths, and query structure that attackers use for reconnaissance.

Related Rules

Use Error Boundaries

Quality

HIGH

Log Errors with Context

Quality

HIGH

Never silently swallow errors

Quality

HIGH

Fail fast and handle errors at boundaries

Quality

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and dozens more. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why this matters

Raw error output can reveal database schema, internal file paths, dependency versions, and even secrets — a direct information-disclosure risk. Log the full error with context server-side, and send the client a generic message plus a correlation id for support.

// Bad — leaks internals straight to the client
catch (err) {
  return Response.json({ error: String(err) }, { status: 500 });
}
 
// Good — log detail, return a safe message
catch (err) {
  const errorId = crypto.randomUUID();
  logger.error({ err, errorId }, "request_failed");
  return Response.json(
    { error: "Something went wrong.", errorId },
    { status: 500 },
  );
}