James Howe opened SPR-14771 and commented
By default, validation errors on @Controller method parameters result in a response body detailing the specific FieldErrors.
Primarily for security purposes, it would be desirable to disable the echoing of the rejectedValue, both globally and perhaps with some kind of field annotation.
This would reduce the chance of sensitive data (passwords, PII, etc.) ending up in logs, for example.
I realise that the whole response can be fully customised anyway, but it seems like this sort of thing should be available by default, to help people secure their systems.
Issue Links:
James Howe opened SPR-14771 and commented
By default, validation errors on
@Controllermethod parameters result in a response body detailing the specificFieldErrors.Primarily for security purposes, it would be desirable to disable the echoing of the
rejectedValue, both globally and perhaps with some kind of field annotation.This would reduce the chance of sensitive data (passwords, PII, etc.) ending up in logs, for example.
I realise that the whole response can be fully customised anyway, but it seems like this sort of thing should be available by default, to help people secure their systems.
Issue Links:
@NoBindannotation for domain objects