security: harden default error handler — safe-by-default

lib/router/sequential.js

@@ -15,10 +15,13 @@ const DEFAULT_ROUTE = (req, res) => {
 
 const DEFAULT_ERROR_HANDLER = (err, req, res) => {
   res.statusCode = 500
-  if (process.env.NODE_ENV === 'production') {
-    res.end('Internal Server Error')
-  } else {
+  res.setHeader('Content-Type', 'text/plain')
+  // Safe by default: only expose error details in explicit development mode.
+  // Production, staging, testing, and unset NODE_ENV all receive sanitized response.
+  if (process.env.NODE_ENV === 'development') {
     res.end(err.message)
+  } else {
+    res.end('Internal Server Error')
   }
 }
 

tests/nested-routers.test.js

@@ -98,7 +98,7 @@ describe('0http - Nested Routers', () => {
       .get('/r2/rolando/throw')
       .expect(500)
       .then((response) => {
-        expect(response.text).to.equals('nested error')
+        expect(response.text).to.equals('Internal Server Error')
       })
   })
 

tests/router-coverage.test.js

@@ -161,7 +161,7 @@ describe('0http - Router Coverage', () => {
         .get('/error')
         .expect(500)
         .then((response) => {
-          expect(response.text).to.equal('Intentional error')
+          expect(response.text).to.equal('Internal Server Error')
         })
     })
 

tests/v4.4.test.js

@@ -28,6 +28,20 @@ describe('v4.4 Improvements', () => {
         .expect('Internal Server Error')
     })
 
+    it('should hide error message when NODE_ENV is unset', async () => {
+      delete process.env.NODE_ENV
+      const { router, server } = cero()
+
+      router.get('/error', (req, res, next) => {
+        next(new Error('Sensitive Info'))
+      })
+
+      await request(server)
+        .get('/error')
+        .expect(500)
+        .expect('Internal Server Error')
+    })
+
     it('should show error message in development', async () => {
       process.env.NODE_ENV = 'development'
       const { router, server } = cero()