Cannot override the default error pages which contain sensitive info

[andcea]

Is your feature request related to a problem? Please describe. The default error pages cannot be overridden and they contain sensitive info such as the internal error message and stack trace. This is a security concern.

Describe the solution you'd like

• The default error pages should either have no body or shouldn't show any dangerous info such as internal error messages or stack traces in production.
• The error pages should be fully customizable. They are currently hard-coded in a few places and cannot be replaced.
• Provide an error handler to allow the user to customize the response in certain failure scenarios.

Describe alternatives you've considered Overriding the error pages or mapping the Response object to remove the body of non 2xx pages. Neither are currently supported by zio-http.

Additional context

[beneyal]

Hi :slightly_smiling_face:

It's far from a perfect solution, but in order to get around this I created a middleware that intercepts errors and defects and just returns an empty 500 response:

val mid = new HttpMiddleware[Any, Throwable] {
  override def apply[R1 <: Any, E1 >: Throwable](http: HttpApp[R1, E1]): HttpApp[R1, E1] =
    http
      .catchAll(_ => Http.status(Status.InternalServerError))
      .catchAllDefect(_ => Http.status(Status.InternalServerError))
}

[andcea]

Thanks @beneyal that worked!

Keeping this issue open as a feature request for the ability to fully override the default error pages.

[tusharmath]

I think this great but we can enhance it further :)

For eg:

1. Create a middleware beautifyErrors that the user can attach if they want beautiful looking error response (typically in dev mode)
2. The middleware should only return a Html response if the client sends Html in it's accept header.
3. In case the user agent is curl then content type should be text and we can add color coding in the response.
4. The default behaviour should be return empty status codes.