BE: Make it possible to hide stacktraces in HTTP responses

[PhilGrayson-flutterint]

Issue submitter TODO list

• [X] I've searched for an already existing issues here
• [X] I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

No response

Describe the feature you're interested in

When you visit an API path that does not exist like /api/foobar, Kafka-UI prints a JSON response containing a stackTrace field.

I'd like to be able to prevent the stacktrace from being printed as a defence in depth strategy to limit exposing implementation detail that could be used to scan for known vulnerabilities. This is to address https://owasp.org/www-community/Improper_Error_Handling.

I appreciate that Kafka-UI displays the currently-deployed git commit short hash in the header, and since Kafka-UI is open-source, that can also be used to discover the library dependency tree. However, I think addressing that is outside the scope of this request.

Describe alternatives you've considered

I tried to use Spring web native property server.error.include-stacktrace to prevent this, but that didn't work.

I see the stacktrace is always being added in GlobalErrorWebExceptionHandler.java class.

Version you're running

8c70126

Additional context

No response

[mrlittle113]

I would like to work on this!

[Haarolean]

@mrlittle113 sure, the desired approach is to have a configuration property that will hide the stack traces in the aforementioned GlobalExceptionHandler

[mrlittle113]

I have created https://github.com/kafbat/kafka-ui/pull/537. Also I have some questions:

• Where should I documented the new config.
• I am using mac, as the document say that some test fail on mac, so how could I check if my code break any tests.