Verbose Error Messages

Excessively detailed error messages disclosed to end users may reveal sensitive information or enable secondary attacks. For example, a login or registration endpoint that explicitly states “invalid username” allows an adversary to enumerate valid accounts, while error stack traces can expose internal system details, database schemas, or configuration paths. Such disclosures reduce the effort required for brute-force attacks, privilege escalation, or targeted exploitation.

Remediation

• Capture detailed technical error information in centralised logs (e.g., SIEM, log aggregator) that are accessible only to authorised administrators.
• Generate a unique error identifier (ID) for each error and include it in the logs for traceability.
• Return only generic error messages to the user, along with the error ID for support or troubleshooting.
• Apply consistent error-handling policies across all application layers (API, frontend, backend).
• Ensure that verbose error output is disabled in production environments (e.g., disable debug stack traces).