Detailed error pages enabled in production
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
config.consider_all_requests_local = true in production.rb makes Rails render the full interactive error page, stack trace, source snippets, and local variables included, to every visitor who triggers an unhandled exception on the live site.
Why it matters
consider_all_requests_local = true makes Rails show the full developer error page for any unhandled exception: a stack trace, the source code around the failing line, and a dump of local variables and request parameters. Left enabled in production.rb, any visitor who can trigger an unhandled error (often trivially, with a malformed request) sees all of that, which routinely includes things like internal file paths, query structure, and occasionally values that should have stayed private.
How to fix it
Set config.consider_all_requests_local = false in production.rb (the default Rails generates), so unhandled exceptions render the generic public error page instead. Keep the local, detailed error page for development and test environments only, where seeing the full trace is the point.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo