gothinkster / aspnetcore-realworld-example-app

ASP.NET Core backend implementation for RealWorld
https://realworld.io
MIT License
1.94k stars 549 forks source link

Is it possible that ErrorHandlingMiddleware could expose sensitive information? #27

Closed VictorioBerra closed 6 years ago

VictorioBerra commented 6 years ago

It appears that exception.Message is sent back to the user for any Exception. Should this be replaced with a constant message?

adamhathcock commented 6 years ago

It could be. This project is not meant to be an enterprise-ready project. It's an example of how ASP.NET Core works as a REST API with various features.

Normally, yes you would return an error code back to the client and use that to find the exception in your logging to debug and fix issues.

VictorioBerra commented 6 years ago

While that is true, there are multiple examples of where we should be adhering to best practices in these apps.

From the official start guide and spec:

Alternatively, you should never forgo following fundamental best practices for the sake of simplicity, lest we teach that same newbie dev the wrong way of doing things.