[Feature]: Server-side option to mask/suppress DB/SQL error details in Execute API responses #41512
Description
Is there an existing issue for this?
- I have searched the existing issues
Summary
When a query/action execution fails, Appsmith currently returns detailed database/SQL error information in the Execute API network response (e.g., raw DB error messages, connector error details, potentially stack traces). We need a server-side configuration option to mask/suppress these sensitive error details in API responses while still keeping full diagnostics in server logs. This is required to meet security audit/compliance requirements where error payloads must not disclose internal schema, query text, or database-specific messages to end users via the browser network payload.
Why should this be worked on?
Our security audit/compliance requirements prohibit exposing detailed DB/SQL error information to clients because it can leak sensitive internal details (schema/table names, query fragments, DB vendor-specific messages, etc.).
UI-level workarounds (e.g., catching errors in JSObject and showing a generic message) are not sufficient, because auditors review the actual network response payload in the browser devtools and will flag detailed errors even if the UI hides them.
A server-side redaction feature would allow us to use Appsmith in stricter environments without requiring an external proxy layer to sanitize responses.
Ideally this should be configurable per instance (or per workspace/app) with a “safe error mode”:
Current Behavior
"responseMeta": { "success": false },
"data": {
"message": "SQL error: ... (raw DB error details)",
"errorType": "DB_EXECUTION_ERROR",
"details": {
"dbMessage": "syntax error near ...",
"vendor": "mysql",
"query": "SELECT ...",
"stackTrace": "..."
}
}
}
To Be (Example)
"responseMeta": { "success": false },
"data": {
"message": "An error occurred while executing the request.",
"errorType": "DB_EXECUTION_ERROR",
"errorCode": "APP_DB_001",
"correlationId": "xxxx-xxxx-xxxx"
}
}