Exception detail returned to the client
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A view or error handler returns str(e) or traceback.format_exc() in the HTTP response body, leaking file paths, dependency versions, and internal structure to whoever triggered the error.
Why it matters
Returning str(e) or traceback.format_exc() in an HTTP response hands the caller your file paths, library versions, variable names, and sometimes fragments of a query or connection string, all of which help an attacker map out the application and plan a more targeted attack. None of that detail is useful to a legitimate API client, which only needs to know that something failed and, at most, a stable error code.
How to fix it
Log the full exception detail server-side with logging.exception(...) or similar, and return a generic message and a fixed HTTP status to the client, for example jsonify(error="Internal server error"), 500. If callers need to correlate the failure with server logs, include a request ID in both instead of the exception text.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo