Thrown error messages are exposed to the open web without NODE_ENV=production


The default behaviour of express is to serve errors + stack trace to the open web. For example, this:

app.get('/', function(request, response) {
  throw new Error("this error message is exposed to the open web! D:");
  response.sendFile(__dirname + '/views/index.html');

will serve this:

Some people might not be aware of this, and it could lead to sensitive info being leaked on their websites. Maybe a comment in the .env file would be good here? Or even just adding NODE_ENV=production by default? I don’t know the best way to handle this, but currently I think it could be a bit dangerous.


Thanks for the feedback. We haven’t been made aware of any problems resulting from Express having this default so far. But of course, people accidentally expose sensitive information on platforms like GitHub all the time through a lack of knowledge. So in the future we plan to look into automated ways we can pro-actively help inexperienced users avoid this and this is definitely a scenario we’ll be sure to consider as part of that.

Setting node_env to production by default though may be a little heavy-handed, as it has an impact on how many modules work which users might not expect. So there’s a balance to be found here.