MEDIUMSecuritysmallNode.js Security

Avoid leaking stack traces and internal errors to clients

Return generic error messages to clients and log details server-side; never expose stack traces or internals.

Why This Matters

Verbose errors reveal stack traces, paths, and library versions that aid attackers (OWASP A05/A09).

Related Rules

Sanitize User Input

Security

CRITICAL

Avoid eval() and Dynamic Code Execution

Security

CRITICAL

Set Security Headers

Security

HIGH

Avoid Prototype Pollution

Security

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and dozens more. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why this matters

Detailed error output discloses framework versions, file paths, and query structure — a roadmap for attackers. Send a generic message to the client and keep full diagnostics in server logs.

// Bad: leak the raw error to the client
app.use((err, req, res, next) => res.status(500).json({ error: err.stack }));
 
// Good: log internally, respond generically
app.use((err, req, res, next) => {
  log.error({ err }, "request_failed");
  res.status(500).json({ error: "Internal server error" });
});