Hi Vladimir, All of these arguments are relevant. I suggest to provide full stacktrace at least by server option. This is also common practice on web servers.
Sincerely, Dmitriy Pavlov вт, 19 сент. 2017 г. в 10:20, Vladimir Ozerov <voze...@gridgain.com>: > Igniters, > > We had a discussion about how to propagate error information from cluster > nodes to the client. My opinion is that we should pass a kind of vendor > code plus optional error message, if vendor code is not very specific. > > Alternative idea is to pass the whole stack trace as well. I agree that > this is very useful for debugging purposes, but on the other hand IMO it > imposes security risk. By sending invalid requests to the server user might > get sensitive information about server configuration, such as it's version, > version of the underlying database, frameworks etc.. This information may > help attacker to apply some version-specific attacks. This is precise > reason why default error pages of web servers with stack traces are always > replaces with some stubs. > > This is why I think we should not include stack traces. > > What do you think? > > Vladimir. >
