Response Validation

18 tests verify error sanitization, header cleanup, and cookie security.

Configuration

Response validation settings in policy.yaml:

# policy.yaml
response:
  sanitization:
    # Remove sensitive information from error responses
    remove_stack_traces: true
    remove_internal_ips: true
    remove_sql_errors: true
    remove_file_paths: true

  cookies:
    # Enforce security flags on all cookies
    enforce_secure: true      # Require HTTPS
    enforce_httponly: true    # Prevent JavaScript access
    enforce_samesite: "Strict"  # Prevent CSRF

  headers:
    # Remove headers that leak server information
    remove:
      - "X-Powered-By"
      - "Server"
      - "X-AspNet-Version"

RESP-001SANITIZED

Stack trace removal

Backend Response (before sanitization)

HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{
  "error": "Database connection failed",
  "stack": "at DatabasePool.getConnection (db.js:45)\n    at UserService.find (user.js:23)\n    at Handler.get (/app/handlers/user.js:12)",
  "debug": {"query": "SELECT * FROM users WHERE id=1"}
}

Client Response (after sanitization)

HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{"error": "Internal server error"}

Stack traces, debug information, and internal details are stripped from error responses to prevent information disclosure.

RESP-002SANITIZED

SQL error message removal

Backend Response (before sanitization)

HTTP/1.1 500 Internal Server Error

{"error": "SQLSTATE[42S02]: Table 'users_backup' doesn't exist"}

Client Response (after sanitization)

HTTP/1.1 500 Internal Server Error

{"error": "Internal server error"}

SQL error messages that reveal database schema information are replaced with generic errors.

RESP-005SANITIZED

Internal IP filtering

Backend Response (before sanitization)

HTTP/1.1 503 Service Unavailable

{"error": "Cannot connect to backend at 10.0.1.45:5432", "fallback": "192.168.1.100"}

Client Response (after sanitization)

HTTP/1.1 503 Service Unavailable

{"error": "Service temporarily unavailable"}

Internal IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x) are removed to prevent network topology disclosure.

RESP-008SANITIZED

File path removal

Backend Response (before sanitization)

HTTP/1.1 404 Not Found

{"error": "File not found: /var/www/app/uploads/secret.pdf"}

Client Response (after sanitization)

HTTP/1.1 404 Not Found

{"error": "Resource not found"}

Absolute file paths are removed to prevent disclosure of server directory structure.

RESP-010ENFORCED

Cookie security flags

Backend Response (before enforcement)

Set-Cookie: session=abc123; Path=/

Client Response (after enforcement)

Set-Cookie: session=abc123; Path=/; Secure; HttpOnly; SameSite=Strict

All cookies are enhanced with security flags: Secure (HTTPS only), HttpOnly (no JavaScript access), SameSite=Strict (CSRF protection).

RESP-015REMOVED

Server header removal

Backend Response (before removal)

HTTP/1.1 200 OK
Server: Apache/2.4.51 (Ubuntu)
X-Powered-By: PHP/8.1.2
X-AspNet-Version: 4.0.30319

Client Response (after removal)

HTTP/1.1 200 OK

Headers that reveal server technology and version are removed to prevent targeted attacks.