If exceptions are not handled safely, Magento may display stack traces, file paths, SQL queries, or sensitive configuration details to customers. Attackers can use this leaked information to discover modules, database schema, and entry points for attacks.
On production, exceptions should be logged internally but shown as friendly error pages without sensitive details. This reduces information leakage while still giving admins access to the root cause in the logs.
# Trigger an error (e.g., invalid URL or module crash)
# Expected: customer sees a generic "Something went wrong" page
# NOT a detailed stack trace# Check var/log/exception.log
# Expected: stack trace and details logged securelydisplay_errors is off in PHP configuration (see MB-R033).pub/errors/default/ to show user-friendly error pages instead of raw exception dumps.var/log/ and protected from public access (see MB-R042).# Browser shows raw stack trace
Exception: SQLSTATE[42S02]: Base table not found: 1146 Table 'magento.customer_entity' doesn't exist
# File paths and SQL exposed → FAIL# Browser shows
"Something went wrong while processing your request."
# Details captured only in var/log/exception.log → PASS