Is it always safe to include err.Error() in the response?

Question

Example:

err := Db.Find(&event, id).Error
if err != nil {
    c.JSON(500, err.Error())
    return
}

I'm worried that it might include sensitive information. Example: when connecting to a database and the db credentials are invalid, I'm worried that the error message might be something like: "invalid username: sample and password: xxx"

Answer 1

Effectively you answered your own question: you pointed out it may contain sensitive information which means it is not always safe to include them in responses visible to the users.

It may also contain information related to your implementation (e.g. package names, type names, call hierarchy), and also configuration data (e.g. server name, database name, user names etc.), potentially exposing private and sensitive architecture and business information.

Think about it: you're a package author and you create the error values (error messages) returned by your functions / methods. You create descriptive error messages describing why a requested function cannot complete normally, intended for the callers of that function/method (the developers), and not for the end users - who shouldn't know what's going on under the hood.

error.Error() messages are for the developers. They are also useful during testing. And they are indispensable for hunting down bugs. You should not show them to the users, instead log them to which you have access, and provide a more general or a user friendly error message to the users, ensuring them that the dev team has been notified and are looking into the problem. Showing original error messages may cause confusion in inexperienced users, and may raise security issues.

Answer 2

The best way is to write to the error log, And custom database error info for return.

like:

var (
    ErrEventNotFound = "Event not found."
)

err := Db.Find(&event, id).Error
if err != nil {
    // Log to file
    c.JSON(500, ErrEventNotFound)
    return
}