Disable Webserver Stack Trace in 500 responses of metabase API

devyetii · March 30, 2021, 9:42am

Hello everyone,

We use metabase version v0.37.6 in one of our projects and according to one of the pen. testing results of our project, we found that when hitting to /meta/api/dashboard/.... the response body is a stack trace. Is there any way to disable this stack trace returned in case of errors either by configuring our MB deployment or the internal Jetty server that serves the API internally ?

Thanks in advance

flamber · March 30, 2021, 9:49am

Hi @devyetii
How are you getting a stacktrace through /api/dashboard/... - what are you requesting?
You would have to use a reverse-proxy (or you own build of Metabase) and strip/block stacktraces from returns.
But there should be no sensitive information in the stacktraces.
Latest release is 0.38.2

devyetii · March 30, 2021, 9:49am

Thanks, @flamber. I'll consider this solution