Skip to content

Security Test: Sensitive Comments


Default Severity:

Sensitive comments in code can be used to disclose information about the application.

Access to such information may facilitate attackers identifying vulnerabilities to exploit.


Identifier: information_disclosure/sensitive_comments


All configuration available:

    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API8:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.3
GDPR Article-32
PSD2 Article-95
ISO 27001 A.18.1
NIST SP800-53
CWE 200
CVSS Score 5.3


Filter out the data that is being returned from the server.

Frontend Specific

React Remove sensitive comments from the codebase to prevent disclosing information that could aid attackers in identifying vulnerabilities.
Angular Remove sensitive comments from the codebase to prevent disclosure of application information that could aid attackers in identifying vulnerabilities.
Vue Remove sensitive comments from the codebase to prevent disclosing application information that could aid attackers.
Svelte Remove sensitive comments from Svelte components and ensure no sensitive information is exposed in the codebase.
Ember Remove sensitive comments from the codebase to prevent disclosing information that could aid attackers in identifying vulnerabilities in Ember applications.
Backbone Remove sensitive comments from the Backbone.js codebase to prevent disclosure of application information that could aid attackers in identifying vulnerabilities.
Preact Remove sensitive comments from the codebase to prevent information disclosure that could aid attackers in identifying vulnerabilities.
Gatsby Remove sensitive comments from the codebase to prevent disclosing information that could aid attackers in identifying vulnerabilities.
Blazor Review and remove any sensitive comments in the Blazor framework code to prevent disclosure of application information that could aid attackers.
Marko Remove or redact sensitive comments in Marko framework code to prevent disclosure of application information that could aid attackers in identifying vulnerabilities.
Mithril Remove sensitive comments from the codebase to prevent disclosing information that could aid attackers in identifying vulnerabilities in the Mithril framework application.

GraphQL Specific

Apollo Configure the Apollo server to disable the inclusion of stack trace information in error messages sent to clients. Ensure that the 'debug' option is set to 'false' in production environments to prevent leaking detailed server implementation details.
Awsappsync Configure AWS AppSync resolvers to prevent information leakage by ensuring error messages are generic and do not expose stack details or sensitive information. Utilize AWS AppSync settings to control and mask error responses.
Graphqlgo Configure the GraphQLGo server to suppress detailed error messages and stack traces in production environments. Implement middleware or custom error handling that returns generic error messages to the client, thus preventing the leakage of sensitive information about the underlying technology stack.
Graphqlruby In the GraphQLRuby framework, ensure that the server configuration is set to minimize information leakage by disabling verbose error messages and introspection in production environments. Use the `debug: false` option in the GraphQL schema definition and restrict access to introspection queries to authorized personnel only.
Hasura Configure the Hasura GraphQL engine to prevent exposing server version information by setting the 'HASURA_GRAPHQL_HIDE_SERVER_HEADER' environment variable to 'true'. Additionally, review and adjust the 'HASURA_GRAPHQL_DEV_MODE' setting to ensure that detailed error messages are not sent to the client in production environments.
Agoo Configure the Agoo framework to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Ariadne Configure the Ariadne framework engine to suppress detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Caliban Configure the Caliban framework engine to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Dgraph Configure the Dgraph server to disable verbose error messages and remove any headers or responses that reveal the tech stack information.
Dianajl Configure the DianaJL framework engine to suppress detailed error messages and disable stack traces in production environments to prevent tech stack information leakage.
Directus Configure Directus to hide stack traces and disable detailed error messages in production to prevent tech stack information leakage.
Flutter Disable debug mode and ensure that no stack traces or error messages are exposed in production environments.
Graphene Configure the Graphene framework to disable detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Graphqlapiforwp Disable introspection queries in production to prevent exposure of the GraphQL schema and tech stack information.
Graphqlgophergo Disable introspection queries in production to prevent exposure of the GraphQL schema and tech stack information.
Graphqljava Disable introspection queries in production to prevent exposure of the GraphQL schema and underlying tech stack information.
Graphqlphp Disable introspection queries in production to prevent exposure of the GraphQL schema.
Graphqlyoga Disable introspection queries in production to prevent leaking schema details.
Hypergraphql Configure the HyperGraphQL framework to disable detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Jaal Configure the Jaal framework engine to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Juniper Configure the Juniper framework engine to suppress detailed error messages and disable verbose logging to prevent tech stack information leakage.
Lacinia Configure the Lacinia framework to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Lighthouse Configure the Lighthouse framework engine to suppress detailed error messages and stack traces in production environments to prevent information leakage.
Mercurius Configure Mercurius to hide stack traces and disable detailed error messages in production environments to prevent tech stack information leakage.
Morpheusgraphql Configure the Morpheus GraphQL engine to disable detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Qglgen Configure gqlgen to hide stack traces and sensitive information in error responses.
Sangria Configure the Sangria framework to disable detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Shopify Configure the Shopify app to hide sensitive headers and disable error messages that reveal tech stack details.
Stepzen Configure the StepZen framework to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Strawberry Configure the Strawberry Framework engine to suppress detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Tartiflette Configure the Tartiflette engine to suppress error messages and stack traces in production environments to prevent tech stack information leakage.
Wpgraphql Disable detailed error messages and configure the server to hide technology stack information in the wpgraphql framework.

REST Specific

Asp_net Configure the ASP.NET framework to suppress detailed error messages and headers that reveal server or framework versions. Use custom error pages and set the 'customErrors' mode to 'On' or 'RemoteOnly' in the web.config file. Additionally, ensure that the 'httpRuntime' element's 'enableVersionHeader' attribute is set to 'false' to prevent the ASP.NET version from being included in HTTP responses.
Ruby_on_rails In the Ruby on Rails framework, configure the environment files to suppress detailed error messages and stack traces in production. Use 'config.consider_all_requests_local = false' and 'config.action_dispatch.show_exceptions = true' to prevent leaking tech stack information to users. Additionally, ensure that 'config/environments/production.rb' has 'config.log_level = :info' to limit logging verbosity.
Next_js Configure the Next.js application to disable the 'x-powered-by' header by setting the 'poweredByHeader' option to false in the 'next.config.js' file. Additionally, ensure that error pages do not disclose stack traces or other sensitive information to the client by customizing the error handling logic.
Laravel In the Laravel framework, ensure that the 'APP_DEBUG' setting in the '.env' file is set to 'false' in the production environment to prevent the server from leaking stack trace information. Additionally, configure the 'ExceptionHandler' to handle errors without revealing sensitive information, and use middleware to suppress or customize server headers that disclose technology stack details.
Express_js Configure the Express.js application to suppress server version information by setting the 'x-powered-by' header to false using the line 'app.disable('x-powered-by');' in the application setup code.
Django Configure the Django settings to disable the 'X-Powered-By' header and set 'DEBUG' to False in production to prevent leakage of technical stack information.
Symfony In the Symfony framework, to prevent the web/application server from leaking tech stack information, configure the 'expose_php' and 'server_tokens' directives in the 'php.ini' and web server configuration files respectively to 'Off'. Additionally, ensure that the 'prod' environment is used for production, as it does not display error messages or stack traces to the end user. Review and adjust the 'security.yaml' configuration to restrict error output and use the 'WebProfilerBundle' only in the 'dev' environment.
Spring_boot In the Spring Boot application, configure the or application.yml file to disable the exposure of version information. Set '' to false and '' to false if using an older version of Spring Boot. Additionally, customize error handling to prevent stack traces from being sent to clients and review the server's HTTP response headers to remove or obscure any technology stack information.
Flask Configure the Flask application to suppress server banners and error messages that reveal stack information. Use the 'Flask-Talisman' extension to set security headers and the 'WERKZEUG_DEBUG_PIN' environment variable to 'off' to prevent debug pin exposure. Additionally, ensure that 'DEBUG' mode is set to 'False' in the production environment.
Nuxt Configure the Nuxt.js application to suppress server version headers and error messages that reveal stack details. Utilize the 'render' configuration to remove specific headers and customize error pages to prevent information leakage.
Fastapi Configure FastAPI to suppress server banners and error messages that reveal stack details. Use middleware to intercept responses and remove headers like 'server' and 'x-powered-by', and customize error handlers to prevent leaking stack information in error responses.
Frappe Disable debug mode and ensure error messages do not expose stack traces or sensitive information in the Frappe framework.
Genzio Configure the Genzio framework engine to suppress detailed error messages and disable stack trace outputs in production environments.
Gin Configure the Gin framework to hide server version details in HTTP headers and error messages to prevent tech stack information leakage.
Gorilla Configure Gorilla framework to hide server headers and error messages to prevent tech stack information leakage.
Hapi Configure the Hapi server to hide stack traces and disable detailed error messages in production by setting 'debug' to false and using 'onPreResponse' to sanitize error responses.
Hono Configure the Hono framework engine to suppress detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Jersey Disable detailed error messages and configure the server to hide stack traces and server information in HTTP responses.
Koa Configure Koa to hide X-Powered-By header and use middleware to sanitize error messages.
Ktor Configure the Ktor application to hide server version and tech stack details by setting 'exposeServerHeader' to false in the server configuration.
Leptos Configure the Leptos framework to disable detailed error messages and stack traces in production environments to prevent tech stack information leakage.
Macaron Configure the Macaron framework to disable detailed error messages and remove any headers that reveal server information.
Phoenix Configure the Phoenix framework to hide server headers and error messages to prevent tech stack information leakage.
Redwoodjs Configure RedwoodJS to hide stack traces and disable detailed error messages in production environments to prevent tech stack information leakage.
Rocket Configure the Rocket framework to hide server version details in HTTP headers and error messages to prevent tech stack information leakage.
Sveltekit Configure SvelteKit to hide server-side error messages and disable stack traces in production by setting 'config.kit.browser.hydrate' to false and using environment variables to control logging levels.