Avoid exposing backend details to clients in spring-boot

Recently, PHP editor Xigua brought you a Q&A article about Java, focusing on how to avoid exposing back-end details to the client in spring-boot. During the development process, how to handle sensitive information such as exception information and error prompts to avoid leaking sensitive data is one of the issues that developers need to focus on. This article will answer these questions for you and help you better protect the security of your applications.

Question content

When an incorrect/non-existent spring-boot endpoint is encountered. Code-level class details are exposed. This may be flagged as a security issue.

Example

ask

localhost:8500/api/1.0/service/../msc -> this is a bad formatted endpoint, which does not exist.

Response

{
    "timestamp": "2024-01-31t08:33:44.321+0000",
    "status": 400,
    "error": "bad request",
    "message": "failed to find lookuppath '/api/1.0/msc' within requesturi '/api/1.0/service/../msc'. this could be because the path has invalid encoded characters or isn't normalized.; nested exception is org.springframework.web.servlet.resource.resourceurlencodingfilter$lookuppathindexexception: failed to find lookuppath '/api/1.0/msc' within requesturi '/api/1.0/service/../msc'. this could be because the path has invalid encoded characters or isn't normalized.",
    "path": "/api/1.0/service/../msc"
}

Just by looking at the error message, we can tell that there is a spring-boot application running in the background, which could be a vulnerability since the code-level details are exposed in the message.

How can we send a generic message to the client instead of the entire exception details?

I also tried using @controlleradvice, but the exception was not caught in it. It looks like the problem occurs before it even gets to the controller itself.

@ExceptionHandler(Exception.class)
public ResponseEntity handleException(Exception ex) {
log.error("Exception in flow", ex);
ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Internal Server Error");
}

Solution

You can use a combination of methods to handle the exception and not leak it, seehttps://www.php.cn/link/41fa3925a7ec42ce029c43d6676e4b2c to check for different types of handlers.

The above is the detailed content of Avoid exposing backend details to clients in spring-boot. For more information, please follow other related articles on the PHP Chinese website!