GuardAPI Logo
GuardAPI

Fix Improper Error Handling in Sanic

Leaking stack traces is a primary vector for information disclosure. In Sanic, improper configuration or default error behavior can dump internal logic, environment variables, and library versions to an attacker. To harden a Sanic application, you must intercept the exception pipeline, suppress verbose debugging in production, and implement a centralized, sanitized response mechanism.

The Vulnerable Pattern

from sanic import Sanic, response

app = Sanic(“InsecureApp”)


@app.get(“/debug-me”)
async def trigger_error(request):
# This will leak a full traceback to the client if debug=True
# or if the default handler is not overridden.
data = {}
return response.json({“val”: data[‘missing_key’]})


if name == “main”:
# CRITICAL: debug=True exposes the interactive debugger and tracebacks
app.run(host=“0.0.0.0”, port=8000, debug=True)

The Secure Implementation

The secure implementation utilizes a custom `ErrorHandler` class to override Sanic's default exception behavior. By overriding the `default()` method, we ensure that every unhandled exception is caught, logged with full context to internal logs, and then mapped to a sanitized JSON response. This prevents the 'Sanic-Exception-Page' from rendering in the browser. Furthermore, setting `debug=False` is mandatory for production to disable the auto-reload and the built-in debugger, which are known entry points for RCE and info-leakage.

from sanic import Sanic, response
from sanic.handlers import ErrorHandler
import logging

class UnifiedErrorHandler(ErrorHandler):
def default(self, request, exception):
# Log the actual traceback internally for the SOC/Dev team
logging.error(f”Exception occurred: {exception}”, exc_info=True)


    # Determine status code
    status_code = getattr(exception, "status_code", 500)
    
    # Return a generic, sanitized payload to the user
    return response.json(
        {
            "error": "Internal Server Error",
            "message": "An unexpected error occurred. Please contact support.",
            "trace_id": getattr(request, "id", "N/A")
        },
        status=status_code
    )


app = Sanic(“SecureApp”, error_handler=UnifiedErrorHandler())


@app.get(“/safe-route”)
async def safe_handler(request):
data = {}
return response.json({“val”: data[‘missing_key’]})


if name == “main”:
# Ensure debug is False and access_log is configured for production
app.run(host=“0.0.0.0”, port=8000, debug=False, access_log=True)

System Alert • ID: 7560
Target: Sanic API
Potential Vulnerability

Your Sanic API might be exposed to Improper Error Handling

74% of Sanic apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X