error-detail-leakage
API responses should not expose internal error details
Applies to: JavaScript, Python, TypeScript
Why this matters
Returning error.message, error.stack, or String(error) in API responses leaks internal implementation details to attackers — database table names, file paths, library versions, and SQL queries. Health endpoints that expose DB connection info reveal infrastructure details. Use generic error messages in responses and log detailed errors server-side.
Catch it before it ships
pip install stablestack # or: npx stablestackstablestack # scans your project, SEC014 includedstablestack explain SEC014SEC014 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.
False positive in your codebase? Suppress a single line with # noqa: SEC014
More Security checks
hardcoded-secret
Hardcoded secrets in code can be leaked and are hard to rotate
SEC002sql-injection
SQL queries built with string concatenation are vulnerable to injection
SEC003eval-usage
eval() executes arbitrary code and is a security risk
SEC004insecure-random
Non-cryptographic random is predictable and insecure for tokens/passwords
SEC005inner-html-xss
Direct innerHTML assignment can lead to XSS vulnerabilities
SEC006webhook-security-bypass
Webhook signature verification should never be skipped
SEC007oauth-state-validation
OAuth callback missing state parameter validation
SEC008plaintext-secrets
Sensitive tokens stored without encryption in database schema