Will It Vibe logoWill It Vibe?
RAILS-013High severity-15 points

Detailed error pages enabled in production

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

config.consider_all_requests_local = true in production.rb makes Rails render the full interactive error page, stack trace, source snippets, and local variables included, to every visitor who triggers an unhandled exception on the live site.

Why it matters

consider_all_requests_local = true makes Rails show the full developer error page for any unhandled exception: a stack trace, the source code around the failing line, and a dump of local variables and request parameters. Left enabled in production.rb, any visitor who can trigger an unhandled error (often trivially, with a malformed request) sees all of that, which routinely includes things like internal file paths, query structure, and occasionally values that should have stayed private.

How to fix it

Set config.consider_all_requests_local = false in production.rb (the default Rails generates), so unhandled exceptions render the generic public error page instead. Keep the local, detailed error page for development and test environments only, where seeing the full trace is the point.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks