TL;DR
Error messages help attackers. Stack traces reveal file paths, database errors expose schema, and verbose errors guide exploitation. Show generic messages to users, log details server-side. These prompts help you implement secure error handling patterns.
Error Handler Middleware
Use this prompt to set up a centralized Express error handler with a custom AppError class. Your AI will generate environment-aware error middleware that logs full details server-side while returning safe, generic messages to users in production.
Express Error Handler
Add secure error handling to my Express application.
// Custom error class class AppError extends Error { constructor(message, statusCode, isOperational = true) { super(message); this.statusCode = statusCode; this.isOperational = isOperational; // Expected errors vs bugs Error.captureStackTrace(this, this.constructor); } }
// Error handler middleware (must be last) const errorHandler = (err, req, res, next) => { // Log full error for debugging console.error('Error:', { message: err.message, stack: err.stack, url: req.url, method: req.method, userId: req.user?.id, timestamp: new Date().toISOString() });
// Determine status code const statusCode = err.statusCode || 500;
// Response based on environment if (process.env.NODE_ENV === 'production') { // Generic message for production res.status(statusCode).json({ error: statusCode === 500 ? 'An unexpected error occurred' : err.message }); } else { // Detailed for development res.status(statusCode).json({ error: err.message, stack: err.stack }); } };
app.use(errorHandler);
Usage: throw new AppError('Resource not found', 404); throw new AppError('Invalid input', 400);
API Error Responses
Paste this prompt to create a consistent, secure API error response format. Your AI will generate structured error codes for every HTTP status (400, 401, 403, 404, 429, 500) with safe user-facing messages and request IDs for support correlation.
Secure API Error Responses
Make my API error responses secure and consistent.
// BAD - reveals too much { "error": "SequelizeDatabaseError: relation "users" does not exist", "query": "SELECT * FROM users WHERE id = 1", "stack": "at Query.run (/app/node_modules/sequelize/..." }
// GOOD - safe for production { "error": { "code": "NOT_FOUND", "message": "The requested resource was not found" } }
Error response patterns:
// 400 Bad Request { "error": { "code": "INVALID_INPUT", "message": "Email format is invalid" }}
// 401 Unauthorized { "error": { "code": "UNAUTHORIZED", "message": "Authentication required" }}
// 403 Forbidden (don't reveal resource exists) { "error": { "code": "NOT_FOUND", "message": "Resource not found" }}
// 404 Not Found { "error": { "code": "NOT_FOUND", "message": "Resource not found" }}
// 429 Rate Limited { "error": { "code": "RATE_LIMITED", "message": "Too many requests" }}
// 500 Internal Error (never reveal details) { "error": { "code": "INTERNAL_ERROR", "message": "An unexpected error occurred" }}
Include request ID for support: { "error": { "code": "INTERNAL_ERROR", "message": "...", "requestId": "abc123" }}
Forbidden vs Not Found: Don't tell attackers a resource exists but they can't access it. For sensitive resources, return 404 instead of 403 to avoid revealing existence.
Database Error Handling
Copy this prompt to generate a database error wrapper that catches ORM exceptions and translates them into safe application errors. Your AI will map common database error codes (unique violations, foreign key failures) to user-friendly messages without exposing table names or queries.
Sanitize Database Errors
Handle database errors without exposing sensitive details.
Database errors often contain:
- Table/column names
- SQL queries
- Connection strings
- Schema information
Wrap database calls:
async function safeDbQuery(queryFn) { try { return await queryFn(); } catch (error) { // Log full error for debugging console.error('Database error:', { message: error.message, code: error.code, query: error.sql, // Log but don't expose stack: error.stack });
// Return generic error
if (error.code === '23505') { // Unique violation
throw new AppError('This record already exists', 409);
}
if (error.code === '23503') { // Foreign key violation
throw new AppError('Referenced record not found', 400);
}
// Generic for unknown database errors
throw new AppError('Database operation failed', 500);
} }
// Usage const user = await safeDbQuery(() => db.users.findUnique({ where: { id } }) );
Never pass database error messages directly to responses.
Frontend Error Handling
Use this prompt to create a React Error Boundary component that catches rendering errors gracefully. Your AI will generate a class component with error tracking integration, unique error IDs for support, and a user-friendly fallback UI that never displays stack traces.
React Error Boundaries
Add error boundaries that don't leak information in React.
class ErrorBoundary extends React.Component { state = { hasError: false, errorId: null };
static getDerivedStateFromError(error) { return { hasError: true }; }
componentDidCatch(error, errorInfo) { // Generate unique error ID for support const errorId = crypto.randomUUID(); this.setState({ errorId });
// Log to error tracking (Sentry, etc.)
// Don't show these details to users
logError({
errorId,
error: error.message,
stack: error.stack,
componentStack: errorInfo.componentStack,
});
}
render() { if (this.state.hasError) { return (
Something went wrong
We've been notified and are working on it.
{this.state.errorId && (
Error ID: {this.state.errorId}
)}
window.location.reload()}>
Try Again
);
}
return this.props.children;
} }
// Wrap your app
Never display error.message or stack traces to users in production.
Pro tip: Use error tracking services like Sentry or LogRocket. They capture full error details for debugging while showing users friendly messages. Include request IDs to correlate user reports with logs.
How do I debug production errors without verbose messages?
Use error tracking services (Sentry, Bugsnag), structured logging with request IDs, and log aggregation. You get full details in your tools without exposing them to attackers.
Should I show different errors for development?
Yes, but be careful. Check NODE_ENV to show detailed errors only in development. Never deploy with development error handling active.
Further Reading
Want to understand the vulnerability before fixing it? These guides explain what's happening and why.
Find Verbose Errors
Scan your application for error messages that leak sensitive information.