Verbose Error Response
Error stack traces leaked in API responses
warningSecurity
verbose-error-responseWhy this matters
Stack traces reveal file paths, dependency versions, and internal logic. Attackers use this information to find vulnerabilities and craft targeted exploits.
✗ Bad
export async function GET() {
try {
const data = await fetchData();
return Response.json(data);
} catch (error) {
return Response.json(
{ error: error.message, stack: error.stack },
{ status: 500 }
);
}
}✓ Good
export async function GET() {
try {
const data = await fetchData();
return Response.json(data);
} catch (error) {
console.error("fetchData failed:", error);
return Response.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}How to fix
Log the full error server-side for debugging. Return a generic error message to the client. Never send stack traces, file paths, or internal details in API responses.