Found error handling middleware in production JS-S1024
Security
Major
a05
owasp top 10
cwe-215
cwe-489
The errorhandler middleware should only be enabled in development mode.
Enabling this in production can reveal sensitive information about your application to a client.
This includes file paths, error messages, directory structure, and debug instructions.
Bad Practice
import express from 'express'
import errorhandler from 'errorhandler'
const app = express()
// This will enable the error handler in both
// and production
app.use(errorhandler())
Recommended
import express from 'express'
import errorhandler from 'errorhandler'
const app = express()
if (process.env.NODE_ENV === 'development') {
app.use(errorhandler())
}