Must not return server-side tracebacks

Adds guidance that server-side tracebacks/stacktraces must not be returned to the user. Change-Id: Ib64bd648fb28ff1f5600c8a08c1efab3bcd871ec
2015-05-15 12:38:36 -04:00 · 2015-05-15 12:38:36 -04:00 · 047e0eca26
commit 047e0eca26
parent 53eeb66d39
1 changed files with 4 additions and 0 deletions
--- a/guidelines/http.rst
+++ b/guidelines/http.rst
@ -136,6 +136,10 @@ request process which cannot be resolved by the client alone. The nature
 of each code in the 5xx series carries a specific meaning and they should
 be fully researched before deploying.

+The server **must not** return server-side stacktraces/traceback output to the
+end user. Tracebacks and stacktraces belong in server-side logs, not returned
+via the HTTP API to an end user.
+
 Failure Code Clarifications
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~