Skip to content

fix(frontend): sanitize API error messages to prevent info disclosure#48

Open
SandeepChauhan00 wants to merge 1 commit intoINCF:mainfrom
SandeepChauhan00:fix/error-sanitization-47
Open

fix(frontend): sanitize API error messages to prevent info disclosure#48
SandeepChauhan00 wants to merge 1 commit intoINCF:mainfrom
SandeepChauhan00:fix/error-sanitization-47

Conversation

@SandeepChauhan00
Copy link

@SandeepChauhan00 SandeepChauhan00 commented Jan 30, 2026

🔗 Related Issue

Closes #47

📋 Summary

Sanitizes API error messages to prevent exposing internal system details to users.

🐛 Problem

When API errors occur, raw error responses including sensitive details are displayed:

  • LLM model names (gemini-2.5-flash-lite)
  • Pricing tiers (FreeTier)
  • Rate limit thresholds (quotaValue: 20)
  • SSL/Protocol errors (_ssl.c:1032)

This violates OWASP security best practices.

✅ Solution

Added ErrorHandler.ts utility that:

  • Sanitizes all error responses before displaying to users
  • Shows user-friendly messages based on error type
  • Logs full error details to console for debugging

📁 Files Changed

File Change
src/utils/ErrorHandler.ts NEW - Error sanitization utility
src/App.tsx Updated to use sanitized error messages

🔄 Before & After

Error Type Before (Exposed) After (Sanitized)
Rate Limit 429 RESOURCE_EXHAUSTED gemini-2.5-flash-lite "I'm currently experiencing high demand..."
SSL Error [SSL: UNEXPECTED_EOF] _ssl.c:1032 "Unable to connect to the server..."
Timeout 504 Gateway Timeout "The request took too long..."

🧪 Testing Performed

Test Case Result
Rate limit error sanitized ✅ Pass
SSL error sanitized ✅ Pass
Network error sanitized ✅ Pass
Full error logged to console ✅ Pass
Normal responses unaffected ✅ Pass

✅ Checklist

@SandeepChauhan00
Copy link
Author

SandeepChauhan00 commented Feb 8, 2026

Hi team! 👋

Following up on this security enhancement PR. This addresses Issue #47
by preventing internal system details from being exposed to end users
in error messages.

Changes:

  • ✅ Generic error messages for client-side display
  • ✅ Detailed errors still logged server-side for debugging
  • ✅ Improved security posture without losing observability

This is a low-risk change that improves security. I've completed all
the checklist items and the implementation is ready for review.

Would appreciate your feedback when you have a moment. Happy to discuss
the approach or make adjustments!

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security/UX] API Error Messages Expose Internal System Details to Users

1 participant

@SandeepChauhan00