I think the protocol should allow both, and the behavior should be either configurable or enabled via a system property. Every web server known to me allows exposing this information for debugging purposes.
2017-09-19 10:20 GMT+03:00 Vladimir Ozerov <voze...@gridgain.com>: > Igniters, > > We had a discussion about how to propagate error information from cluster > nodes to the client. My opinion is that we should pass a kind of vendor > code plus optional error message, if vendor code is not very specific. > > Alternative idea is to pass the whole stack trace as well. I agree that > this is very useful for debugging purposes, but on the other hand IMO it > imposes security risk. By sending invalid requests to the server user might > get sensitive information about server configuration, such as it's version, > version of the underlying database, frameworks etc.. This information may > help attacker to apply some version-specific attacks. This is precise > reason why default error pages of web servers with stack traces are always > replaces with some stubs. > > This is why I think we should not include stack traces. > > What do you think? > > Vladimir. >
