{
    "id": "S053",
    "name": "Return generic error messages, hide internal details",
    "description": "Return generic error messages to users while logging detailed errors server-side. Do not expose stack traces, database errors, SQL queries, file paths, or internal system details in API responses.",
    "category": "security",
    "severity": "medium",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "error-handling", "information-disclosure", "api"],
    "examples": {
        "valid": [
            "res.status(500).json({ error: 'An unexpected error occurred' });",
            "logger.error('Database error', { error, query }); // Log details",
            "throw new HttpException('Invalid request', 400);"
        ],
        "invalid": [
            "res.status(500).json({ error: error.stack });",
            "res.send(error.message); // May contain internal details",
            "res.json({ sql: query, error: dbError }); // Exposes SQL"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule prevents information disclosure through error messages. Internal details to hide: stack traces, database error messages, SQL queries, file paths, internal IPs, configuration values, library versions. Log full details server-side with correlation IDs. Return generic messages to clients.",
        "url": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
    }
}