Security
SecurityMedium

Information Disclosure

Checks for error pages, stack traces, and debug output leaking internal info.

What this check measures

We trigger common error conditions (bad requests, non-existent paths, malformed input) and inspect responses for stack traces, framework banners, internal IPs, or DB connection errors.

Why it matters

Error messages can leak version numbers, file paths, database structure, and internal IP addresses — a goldmine for reconnaissance. The attacker learns your stack without ever launching an exploit.

search

How our audit detects it

Request invalid URLs, malformed payloads, 500-triggering inputs. Scan response bodies for stack traces, file paths, framework version strings.

Typical findings

  • error_outline500 page shows full Node.js stack trace including file paths.
  • error_outline404 page leaks framework name and version.
  • error_outlineDB error surfaces the raw SQL query in the response.

How to fix

Catch errors and return generic messages ("Something went wrong"). Log details server-side only. Set NODE_ENV=production — most frameworks suppress stack traces automatically in prod mode.

Frequently asked questions

What about debug flags in production?expand_more
Never. DEBUG=* or similar in production leaks everything. Staging only.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward