Four error-triggering endpoints — two expose internal server details in the response body, two handle errors cleanly. Find what each leaks and compare it to what it should return.
Improper error handling means the API exposes stack traces, file paths, database connection strings, framework versions, or debug settings in error responses. This is a security and reliability issue — it aids attackers and breaks client contracts.
| Bug | Trigger raw 500 → exposes traceback, file paths, DB config, debug flag, and secret key prefix |
| Bug | Trigger DB error → exposes raw SQL error string with constraint and row data |
| Correct | Trigger clean 500 → returns only {"error": "...", "code": "..."} |
| Correct | Trigger 400 → clean validation error with field name |