From 86dd5459368f5219b047ff639ec854c0aa5ab51e Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Thu, 4 Jun 2026 23:39:55 +0530
Subject: [PATCH] security: strip Axios config/request objects from serialized
 error responses

---
 server/middleware/errorHandler.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/middleware/errorHandler.js b/server/middleware/errorHandler.js
index 2093b384..b07cf975 100644
--- a/server/middleware/errorHandler.js
+++ b/server/middleware/errorHandler.js
@@ -1,5 +1,14 @@
 module.exports = (err, req, res, next) => {
   console.error('❌ Error:', err.message);
+
+  // Strip sensitive request config and request objects from Axios/HTTP errors to prevent leaking keys/headers
+  if (err.config) {
+    delete err.config;
+  }
+  if (err.request) {
+    delete err.request;
+  }
+
   res.status(err.status || 500).json({
     error: err.message || 'Internal server error',
     ...(process.env.NODE_ENV === 'development' && { stack: err.stack }),