Don't serialize server errors to client.

Server side errors may contain just about anything, such as e.g. secrets, and, therefore, it seems like a bad idea to unconditionally send these back to the client. In general, there is nothing a client can do about an internal server error even if the specific internal error message is known. The server developer can already see the error in server logs so there isn't really any loss of information. If the current behavior is actually desired it can be achieved by an outer `try-catch` in the handler function. (Of course, an outer `try-catch` can also be used to make sure that a server side error never ends up at the client, but it is better to be safe by default.)
JuliaWeb · Nov 23, 2023 · 0f4678a · 0f4678a
1 parent 5cd586d
commit 0f4678a
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/src/Servers.jl b/src/Servers.jl
@@ -467,7 +467,6 @@ function handle_connection(f, c::Connection, listener, readtimeout, access_log)
                 if isopen(http) && !iswritable(http)
                     request.response.status = 500
                     startwrite(http)
-                    write(http, sprint(showerror, e))
                     closewrite(http)
                 end
                 c.state = CLOSING