threat-modeling.md

Threat Model Analysis for bettererrors/better_errors

Threat: Source Code Exposure

Description: By triggering an error in a production environment where better_errors is enabled, an attacker can directly view the application's source code through the error page. This is a direct consequence of better_errors's code display feature.

Impact: High. Exposing source code allows attackers to understand application logic, identify vulnerabilities, and plan targeted attacks.

Affected Component: Error Page Rendering (code snippet display).

Risk Severity: High (in production if enabled).

Mitigation Strategies:

• Strictly disable better_errors in production environments.
• Implement automated checks in deployment pipelines to ensure better_errors is disabled in production.
• Regularly audit production configurations.

Threat: Environment Variable Exposure

Description: If better_errors is active in production, it will display environment variables on error pages. An attacker triggering an error can directly access sensitive information like API keys, database credentials, and secrets, which are often stored in environment variables. This is a direct function of better_errors's environment variable display.

Impact: Critical. Exposure of credentials grants attackers immediate unauthorized access to critical systems, databases, and external services, leading to severe data breaches and system compromise.

Affected Component: Error Page Rendering (environment variable display).

Risk Severity: Critical (in production if enabled).

Mitigation Strategies:

• Strictly disable better_errors in production environments.
• Employ secure secret management practices and avoid storing sensitive information directly in environment variables where possible.
• If environment variables are used for secrets, ensure they are never exposed in production logs or error pages by disabling better_errors.

Threat: Request Parameter and Session Data Exposure

Description: With better_errors enabled in production, error pages will display request parameters and session data. An attacker can trigger errors and directly view potentially sensitive user data, session tokens, and authentication cookies. This is a direct feature of better_errors's request and session data display.

Impact: High. Exposure of user data and session information can lead to privacy violations, session hijacking, account takeover, and unauthorized access to user accounts.

Affected Component: Error Page Rendering (request parameter and session data display).

Risk Severity: High (in production if enabled).

Mitigation Strategies:

• Strictly disable better_errors in production environments.
• Follow secure coding practices to avoid logging or displaying sensitive data unnecessarily, even in development.
• While less effective than disabling in production, consider parameter filtering within better_errors configuration for development environments to limit accidental exposure during development.