From 047e0eca262bb7027e8ca0a6d8499475d490f272 Mon Sep 17 00:00:00 2001
From: Jay Pipes <jaypipes@gmail.com>
Date: Fri, 15 May 2015 12:38:36 -0400
Subject: [PATCH] Must not return server-side tracebacks

Adds guidance that server-side tracebacks/stacktraces must not be
returned to the user.

Change-Id: Ib64bd648fb28ff1f5600c8a08c1efab3bcd871ec
---
 guidelines/http.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/guidelines/http.rst b/guidelines/http.rst
index ba641ea..80729a0 100644
--- a/guidelines/http.rst
+++ b/guidelines/http.rst
@@ -136,6 +136,10 @@ request process which cannot be resolved by the client alone. The nature
 of each code in the 5xx series carries a specific meaning and they should
 be fully researched before deploying.
 
+The server **must not** return server-side stacktraces/traceback output to the
+end user. Tracebacks and stacktraces belong in server-side logs, not returned
+via the HTTP API to an end user.
+
 Failure Code Clarifications
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~