Security: Internal error details and stack traces are returned to API clients

[tomaioo]

Summary

Security: Internal error details and stack traces are returned to API clients

Problem

Severity: High | File: src/apps/api/middlewares/problem.middleware.ts:L31

The global problem handler serializes 5xx errors with includeStack: true and includeCause: true, then returns them in JSON responses. This can expose internal implementation details (stack traces, dependency paths, error causes), which helps attackers with reconnaissance and exploit development.

Solution

Do not include stack traces or causes in client-facing responses by default. Gate verbose error output behind a strict development-only check (e.g., NODE_ENV === 'development'), and always return sanitized generic messages in production.

Changes

• src/apps/api/middlewares/problem.middleware.ts (modified)

[changeset-bot]

⚠️ No Changeset found

Latest commit: c2be75c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud