Error Security Agent Skill
Error security — safe error responses, correlation IDs, no stack trace leaks in production.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Error security — safe error responses, correlation IDs, no stack trace leaks in production.
homepage: https://yepapi.com/skills/error-security
metadata:
tags: [security, errors, logging, production]
---
# Error Security
## Rules
- Never leak stack traces, database errors, or file paths to clients in production
- Return generic error messages with a unique error ID: `{ error: "Something went wrong", errorId: "abc123" }`
- Log full error details server-side with the same correlation ID for debugging
- Use different error detail levels: development (full stack trace) vs production (safe message + ID)
- Catch all unhandled errors with global error handlers — never let raw errors reach the client
- Sanitize error messages from third-party services before forwarding to clients
- Return proper HTTP status codes: 400 (bad input), 401 (unauthenticated), 403 (forbidden), 404 (not found), 500 (server error)
\`\`\`ts
// Express error handler middleware
import { randomUUID } from "node:crypto";
app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
const errorId = randomUUID();
// Log full details server-side
console.error({ errorId, message: err.message, stack: err.stack, url: req.url });
// Return safe response to client
const statusCode = (err as any).statusCode || 500;
res.status(statusCode).json({
error: statusCode >= 500 ? "Internal server error" : err.message,
errorId,
...(process.env.NODE_ENV === "development" && { stack: err.stack }),
});
});
\`\`\`
\`\`\`ts
// Next.js error boundary — safe production errors
export default function GlobalError({ error, reset }) {
return (
<div>
<h2>Something went wrong</h2>
<p>Error ID: {error.digest}</p>
<button onClick={reset}>Try again</button>
</div>
);
}
\`\`\`
## Avoid
- Returning `err.message` directly — database errors leak table names, column names, and query structure
- Stack traces in production responses — they reveal file paths, dependencies, and internal architecture
- Generic 500 for everything — use proper status codes so clients can handle errors appropriately
- Logging errors without correlation IDs — makes production debugging nearly impossible
- Swallowing errors silently — always log, even if the response is genericInstall
Why Use the Error Security Skill?
Without this skill, your AI guesses at error security patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Error Security skill installed. Your AI knows the context and writes code that fits.
"Create a global error handler that returns safe messages with correlation IDs"
"Add environment-aware error responses that show details in dev but not in production"
"Build an error middleware that logs full details server-side and returns generic client messages"
Works Great With
Error Security skill — FAQ
It provides rules for safe error responses, correlation IDs for debugging, proper HTTP status codes, and preventing stack trace leaks in production. Your AI writes error handling code that is both developer-friendly and secure.
Run `npx skills add YepAPI/skills --skill error-security` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Correlation IDs link the safe error message shown to the user with the full error details logged server-side. When a user reports 'error abc123', you can instantly find the stack trace, request details, and context in your logs.