[Security/UX] API Error Messages Expose Internal System Details to Users #47
Description
Summary
When API errors occur, raw error responses with internal system details are displayed to users. This creates security and UX concerns.
Reproduction Steps
- Open KnowledgeSpace AI chat interface
- Send multiple queries rapidly OR wait for rate limit
- Observe the error message displayed
Current Behavior
When an API error occurs, users see raw error details:
Error: 429 RESOURCE_EXHAUSTEDmodel: gemini-2.5-flash-litequotaId: GenerateRequestsPerDayPerProjectPerModel-FreeTierquotaValue: '20'retryDelay: '57s'
Information Disclosed
| Exposed Detail | Security Risk |
|---|---|
gemini-2.5-flash-lite |
Reveals LLM provider and model |
FreeTier |
Reveals pricing tier |
quotaValue: 20 |
Reveals rate limit thresholds |
retryDelay: 57s |
Enables timing attacks |
Expected Behavior
Users should see friendly messages like:
- "I'm currently experiencing high demand. Please try again in a moment."
- "Something went wrong. Please try again later."
Screenshots
Acceptance Criteria
- No internal error details exposed to users
- All API errors return user-friendly messages
- Full error details logged server-side for debugging
- Frontend displays clean error messages
Why This Matters
- Helps attackers understand system architecture
- Creates unprofessional user experience
- Violates OWASP security best practices
I am willing to implement this fix.
/cc @visakhmr