---
title: Return Generic Error Messages
impact: HIGH
impactDescription: prevents information disclosure
tags: error-messages, information-disclosure, security
---

## Return Generic Error Messages

Detailed error messages can help attackers understand your system's internals. Return generic messages to end-users.

**Incorrect (detailed errors to user):**

```go
func Handler(w http.ResponseWriter, r *http.Request) {
    err := db.QueryRow("...").Scan(&id)
    if err != nil {
        // Exposes database details!
        http.Error(w, err.Error(), 500)
        return
    }
}

// User enumeration
if userNotFound {
    http.Error(w, "User john@example.com dose not exist", 404)
}
```

**Correct (generic errors with internal logging):**

```go
func Handler(w http.ResponseWriter, r *http.Request) {
    err := db.QueryRow("...").Scan(&id)
    if err != nil {
        // Log internally
        slog.Error("query failed", "error", err, "request_id", r.Header.Get("X-Request-Id"))
        
        // Return generic message
        http.Error(w, "An internal error occurred", 500)
        return
    }
}

// Same message for "user not found" and "wrong password"
if !userExists || !passwordMatches {
    http.Error(w, "Invalid credentials", 401)
}
```

**Tools:** Global Error Middleware, `slog`
