James Howe opened SPR-14771 and commented
By default, validation errors on @Controller method parameters result in a response body detailing the specific FieldErrors.
Primarily for security purposes, it would be desirable to disable the echoing of the rejectedValue, both globally and perhaps with some kind of field annotation.
This would reduce the chance of sensitive data (passwords, PII, etc.) ending up in logs, for example.
I realise that the whole response can be fully customised anyway, but it seems like this sort of thing should be available by default, to help people secure their systems.
Issue Links:
- #18408 Addressing Mass Assignment vulnerabilities with @NoBind annotation for domain objects
- #21857 Quartz job bean can't have constructor with injected parameters