Closed dsebastien closed 2 years ago
Sorry for missing out the issue.
I agree, but this might be unexpected for user. Express.js show the error message as it I believe.
I can instead add a note in the README something like: "The default onError may expose sensitive information. Considering adding a custom one"
I understand. That would be a good start, indeed ;-)
It may just be me, but it seems dangerous for the default onError function to potentially expose internals when something blows up within the application.
A saner default behavior should be returning a 500 status code with a generic message like "Internal server error".
People that don't pay too much attention to security can quickly expose sensitive information like this.