---
title: Return Generic Error Messages
impact: HIGH
impactDescription: prevents information disclosure and system reconnaissance
tags: error-messages, information-disclosure, security, kotlin
---

## Return Generic Error Messages

Detailed error messages can expose internal system implementation details, database structures, or specific library versions to attackers. This information is invaluable for planning more targeted attacks.

**Incorrect (detailed errors exposed to client):**

```kotlin
// Spring Boot Exception Handler exposing EVERYTHING
@ExceptionHandler(Exception::class)
fun handleAll(e: Exception): ResponseEntity<Any> {
    val body = mapOf(
        "message" to e.message,
        "class" to e.javaClass.name,
        "stackTrace" to e.stackTrace // CRITICAL: Never send stack traces to clients!
    )
    return ResponseEntity.status(500).body(body)
}

// User Enumeration vulnerability
if (user == null) {
    return ResponseEntity.status(401).body("User not found")
}
if (!passwordValid) {
    return ResponseEntity.status(401).body("Incorrect password")
}
```

**Correct (generic errors with internal tracking):**

```kotlin
@ExceptionHandler(Exception::class)
fun handleAll(e: Exception, request: WebRequest): ResponseEntity<Any> {
    val trackingId = UUID.randomUUID().toString()
    
    // Log full details internally
    logger.error("Internal Error #$trackingId on ${request.getDescription(false)}", e)
    
    // Provide a generic message and a tracking ID for the user to report
    val body = mapOf(
        "error" to "An internal system error occurred",
        "code" to 500,
        "trackingId" to trackingId 
    )
    return ResponseEntity.status(500).body(body)
}

// Same message for both prevents user enumeration
if (user == null || !passwordValid) {
    return ResponseEntity.status(401).body("Invalid username or password")
}
```

**Security Best Practices:**
- Never return stack traces, raw query strings, or file paths in API responses.
- Use a Global Exception Handler to catch and sanitize all unhandled exceptions.
- Ensure authentication messages are identical regardless of whether the username exists.
- In production, disable Spring's `server.error.include-stacktrace` property.

**Tools:** Spring `@ControllerAdvice`, Ktor `StatusPages`, OWASP ZAP, Manual Audit
