Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

3
  • 3
    I disagree with a lot of this. First, a 404 on a REST API doesn't require an empty response body. In particular a JSON API should always return JSON, so an empty response body just for a 404 can cause problems. More importantly, for a 500 the response body the server should never return some information about the source of the error (at least in production), so is not relevant here. Commented Jan 16, 2020 at 21:14
  • 1
    Thanks for sharing your understanding of REST API. Mine is based on training and personal experience connecting to APIs, some of which have included exception details in a 500 response body, and empty 404 response body by design. However, the REST API was intended as a concrete example of how exception handling could expose sensitive data, and was not intended to start a tangential discussion on REST fundamentals. I'm new here - your feedback is appreciated if you think this answer could be improved otherwise. Commented Jan 16, 2020 at 23:16
  • 1
    There are definitely APIs out there that show internal details in the event of an error, but that doesn't have anything to do with REST APIs. There are "regular" websites that do that too. However, in all cases this is already a bad practice. See this. Exception catching doesn't have anything to do with tracebacks because whether or not error details are displayed is typically a global application setting, an uncaught exception won't change anything Commented Jan 16, 2020 at 23:55