The following config properties are added since spring-boot-2.3.x:
server.error.include-exception=true
server.error.include-binding-errors=always
server.error.include-message=always
It would be nice if just all error properties could be configured to incude/exclude via properties, like:
server.error.include-status=false
server.error.include-path=false
Comment From: wilkinsona
Thanks for the suggestion.
The current properties are focussed on avoiding information leakage. For example, including an exception or even just an exception message may allow an attacker to identify a vulnerable component that they can then seek to exploit. We disable their inclusion by default while providing properties so that you can opt back in if possible information leakage is not a concern.
The other attributes, such as status and path, don't fall into the same category as there's no risk of information leaking. As such, I'm not sure that we should provide properties for them, as it isn't something that we expect a lot of people to want to configure. If you do want to configure them, you can provide your own ErrorAttributes implementation, possibly by extending DefaultErrorAttributes and removing the attributes that you do not want to be present.
What is your use case for not including the path and status?
Comment From: membersound
Thanks for you comment. Sounds consistent.
My use case for the other attributes is that some of them are kind of redundant (at least for me). Eg:
- The status code is already reflected in the http response header.
- The path is already known as the client is actively executing a request.
So I'd simply have to provide a CustomErrorAttributes bean? Or would it also be necessary to extend BasicErrorController to remove unwanted attributes?
Comment From: wilkinsona
A bean that implements ErrorAttributes should be sufficient.
Comment From: membersound
So as this succeeded, my case is probably too special for introducing additional properties. Let's leave it as it is!