Default on error should simply return 500 with a generic error message

hoangvvo / next-connect

The TypeScript-ready, minimal router and middleware layer for Next.js, Micro, Vercel, or Node.js http/http2

https://www.npmjs.com/package/next-connect

MIT License

1.63k stars 65 forks source link

Default on error should simply return 500 with a generic error message #118

Closed dsebastien closed 2 years ago

dsebastien commented 3 years ago

It may just be me, but it seems dangerous for the default onError function to potentially expose internals when something blows up within the application.

A saner default behavior should be returning a 500 status code with a generic message like "Internal server error".

People that don't pay too much attention to security can quickly expose sensitive information like this.

hoangvvo commented 3 years ago

Sorry for missing out the issue.

I agree, but this might be unexpected for user. Express.js show the error message as it I believe.

I can instead add a note in the README something like: "The default onError may expose sensitive information. Considering adding a custom one"

dsebastien commented 3 years ago

I understand. That would be a good start, indeed ;-)