Spring Boot Error Server Configuration
Spring Boot provides flexible error handling configuration options that allow you to control what information is exposed in error responses. This is crucial for maintaining security in production while providing detailed debugging information in development environments.
This tutorial showcases varying error response behaviors across different deployment profiles using a REST controller that intentionally throws errors for demonstration purposes.
1. Error Configuration Options
Spring Boot offers six key configurable error properties that control error response behavior:
1.1. Include Binding Errors
Controls visibility of validation errors in form submissions.
Default Value:
NEVERPossible Values:
ALWAYS,NEVER,ON_PARAMDescription: Specifies whether binding errors, such as validation errors in form submissions, should be included in error responses.
1.2. Include Exception
Toggles detailed exception information in responses.
Default Value:
falsePossible Values:
true,falseDescription: Specifies whether detailed exception information should be included in error responses.
1.3. Include Message
Manages error message visibility.
Default Value:
NEVERPossible Values:
ALWAYS,NEVER,ON_PARAMDescription: Specifies whether error messages should be included in error responses.
1.4. Include Stack Trace
Determines stack trace inclusion in error responses.
Default Value:
NEVERPossible Values:
ALWAYS,NEVER,ON_PARAMDescription: Specifies whether stack traces should be included in error responses.
1.5. Error Controller Path
Default location for error handling.
Default Value:
/errorPossible Values: Any valid URL path
Description: Defines the path of the error controller, which handles error requests.
1.6. Whitelabel Error Page
Enables or disables the default error page displayed in browsers.
Default Value:
truePossible Values:
true,falseDescription: Specifies whether to enable the default Whitelabel Error Page displayed in browsers in case of a server error.
Understanding the configuration values:
|
2. Environment-Specific Profiles
2.1. Development Environment
Configuration for development profiles (local, test, dev):
Include Binding Errors:
ALWAYSInclude Exception:
trueInclude Message:
ALWAYSInclude Stack Trace:
ALWAYS
All error details are included to facilitate debugging and development.
2.2. QA and Staging Environment
Configuration for QA and staging profiles:
Include Binding Errors:
ON_PARAMInclude Exception:
trueInclude Message:
ON_PARAMInclude Stack Trace:
ON_PARAM
Details are shown conditionally via query parameters (e.g., ?trace=true).
2.3. Production Environment
Configuration for production profile:
Whitelabel Error Page Enabled:
false
Whitelabel error page is disabled for security, omitting sensitive details entirely.
3. Project Setup
3.1. Requirements
3.2. Maven Configuration
The project uses Spring Boot 3.2.3 with Java 21.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.2.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.maoudia</groupId>
<artifactId>app</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>maoudia-app</name>
<description>MAOUDIA APP</description>
<properties>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
4. Application Configuration
4.1. Error Configuration
The application configuration demonstrates profile-based error handling settings.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
server:
port: 8080
error:
include-binding-errors: NEVER
include-exception: OFF
include-message: NEVER
include-stacktrace: NEVER
path: /error
whitelabel:
enabled: ON
spring:
application:
name: app
---
spring.config.activate.on-profile: local, test, dev
server:
error:
include-binding-errors: ALWAYS
include-exception: ON
include-message: ALWAYS
include-stacktrace: ALWAYS
---
spring.config.activate.on-profile: qa, staging
server:
error:
include-binding-errors: ON_PARAM
include-exception: ON
include-message: ON_PARAM
include-stacktrace: ON_PARAM
---
spring.config.activate.on-profile: prod
server:
error:
whitelabel:
enabled: OFF
5. Implementation
5.1. Error Resource Controller
We create a REST controller with an endpoint that intentionally throws errors to showcase error handling behavior.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
package com.maoudia;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ErrorResource {
/**
* Endpoint to intentionally throw an error.
*
* @return ResponseEntity containing an error message
*/
@GetMapping("/throw")
public ResponseEntity<String> throwError() {
// Simulate an error by throwing a RuntimeException
throw new RuntimeException("This endpoint always throws an error.");
}
}
6. Testing Error Responses
6.1. Default Configuration
Request without any specific profile:
1
curl -X GET http://localhost:8080/throw
Response:
1
2
3
4
5
6
{
"timestamp": "2024-02-27T10:10:03.310+00:00",
"status": 500,
"error": "Internal Server Error",
"path": "/throw"
}
Notice that no sensitive information is exposed in the default configuration.
6.2. Staging Profile with Query Parameter
Request with staging profile and trace=true parameter:
1
curl -X GET http://localhost:8080/throw?trace=true
Response:
1
2
3
4
5
6
7
8
{
"timestamp": "2024-02-27T10:16:25.951+00:00",
"status": 500,
"error": "Internal Server Error",
"exception": "java.lang.RuntimeException",
"trace": "java.lang.RuntimeException: This endpoint always throws an error.\n\tat com.maoudia.ErrorResource.throwError(ErrorResource.java:18)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:580)\n...",
"path": "/throw"
}
With the trace=true query parameter in staging environment, the full stack trace is returned for debugging purposes.
6.3. Development Profile
When running with development profiles (local, test, dev), all error details are automatically included without requiring query parameters.
6.4. Production Profile
In production, the whitelabel error page is disabled, and production requests omit sensitive details entirely, returning only the minimal error information.
Enable each profile (e.g., local, test, dev, qa, staging, prod) in your Spring Boot application to see the respective error handling behavior. You can activate a profile using:
|
7. Best Practices
7.1. Security Considerations
Never expose stack traces in production - They can reveal internal application structure and potential security vulnerabilities.
Use conditional disclosure - In staging/QA environments, use
ON_PARAMto allow developers to see details only when needed.Disable whitelabel page in production - Custom error pages provide better user experience and don’t expose Spring Boot information.
7.2. Development Efficiency
Enable all details in development - Use
ALWAYSsettings to facilitate debugging.Consistent environment naming - Use clear profile names (dev, qa, staging, prod) across all projects.
Document query parameters - Make sure developers know about the
?trace=trueoption in non-production environments.
7.3. Monitoring and Logging
While limiting error details in responses is important for security, ensure comprehensive error logging is enabled in all environments for monitoring and troubleshooting purposes.
8. Conclusion
Proper error handling configuration is essential for maintaining security while providing useful debugging information. By leveraging Spring Boot’s profile-based configuration, you can:
Expose detailed error information in development environments
Provide conditional access to error details in staging/QA
Maintain security by limiting error exposure in production
Improve developer experience without compromising security
The complete source code is available on GitHub Gist.