SEC014warningPro

error-detail-leakage

API responses should not expose internal error details

Applies to: JavaScript, Python, TypeScript

Why this matters

Returning error.message, error.stack, or String(error) in API responses leaks internal implementation details to attackers — database table names, file paths, library versions, and SQL queries. Health endpoints that expose DB connection info reveal infrastructure details. Use generic error messages in responses and log detailed errors server-side.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC014 includedstablestack explain SEC014

SEC014 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC014