An error thrown by code running in the server should never be exposed to a client.
Error
objects contain information like the state of the call stack, bugs in the server code, dependencies used by the server application, etc.
An attacker can intentionally send requests that yield an error and get an idea about the server's code layout and possible vulnerabilities.
import express from "express"
const app = express()
app.get("/user/:name", async (req, res) => {
const name = req.params.name
try {
const userJson = await getUserFromDb(name)
res.json(userJson)
} catch(err) {
res.status(404)
// The user will know the depdendencies and layout of
// the server's codebase.
res.send(err)
// Also harmful: res.send(err.stack), res.write(err.message) etc.
}
})
import express from "express"
const app = express()
app.get("/user/:name", async (req, res) => {
const name = req.params.name
try {
const userJson = await getUserFromDb(name)
res.json(userJson)
} catch(err) {
console.error(err) // for debugging from server logs.
res.status(404)
res.send("Internal server error.")
}
})