FinalHandler should not display stack traces by default

[michaelmoussa]

This seems like a dangerous default to me, and it contradicts the Expressive documentation here.

Specifically:

If the FinalHandler was initialized with an option indicating that it is in development mode, it writes the exception stack trace to the response body.

However, the default initialization of the FinalHandler (which is what Expressive does in the default error pipeline) leaves the env option unset, which causes ! isset($this->options['env']) to evaluate to true and creates the Development error message. You'd actually need to specify ['env' => 'production'] in the constructor in order to not display the stack trace.

I think the reverse would be a safer default - you must explicitly state that you're in development in order for the stack trace to appear (which is what the Expressive documentation indicates).

Specifically: if (isset($options['env']) && $options['env'] === 'development')

Either that, or correct the Expressive documentation.

I like the former better, but I realize it's technically a BC break (if your application needs to display stack traces in Production by default, that is...), so it should be discussed (assuming I'm not the only one who thinks this is an issue).

Thoughts?

[weierophinney]

Definitely a bug. While it's a BC break, the defaults should always be production-safe, so I'd consider the current behavior a bug. Users can adapt if they need to have the stack trace displayed.

Send me a PR! 👍