docs: add section for secure error reporting #6153
Labels
✅ accepted-PRs-welcome
Feature proposal is accepted and ready to work on
📚 documentation / examples
Improvements or additions to documentation
Comments
|
We strip the stack in dev mode by default, but yeah, we could document this stuff better. Open for PRs! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Area of Improvement
By default, the errors sent from the backend to the client are quite verbose. This might be good for prototyping an app, but I wouldn't like this to stay for a production app, specially because OWASP mentions this as a security flaw: https://owasp.org/www-community/Improper_Error_Handling
The docs should contain a section where one could see a best-practice of how errors should be dealt with. I would expect for any unknown exception to just return a common error message like "Internal Server Error" and hand it over to an exception handler (default implementation could just log it out to the console, other implementations like Sentry could pick it up by providing a middleware), whereby other errors, which are request-related, should just contain the error itself, but not a stacktrace or any direct sign e.g. showing that I use
zodfor input-validation.I'm not very familiar with what all is possible or implemented but have briefly looked at https://www.jsonrpc.org/specification#error_object and https://trpc.io/docs/server/error-formatting.
A good starting point would be if someone could point me to where and how the individual error-codes reported by JSON-RPC are determined, and I can come up with something that we could add to the docs as a first draft people could decide on how they want things to be.
Link to related docs
https://trpc.io/docs/server/error-handling
Additional information
No response
👨👧👦 Contributing
Funding
The text was updated successfully, but these errors were encountered: