Having verbose messages displayed openly by Jira through the browser has the security implication of providing an invader with information about points of weakness and also environment configurations.

As a network administrator, I would like to have a kill-switch for those messages, leaving the logs as the only way to have that information.

In the scope of JRASERVER-38101 a new system option has been added to allow admins to disable the stack trace to be show. However, it was only implemented for the Jira's 500 error page. Example below with the stack trace hidden:

However there are still other places where a stack trace is shown to users. Examples:

TypeError

Errors like TypeError: Cannot read properties of undefined will output a stack trace to users, similar to the screenshot below:

XML responses

Accessing certain URLs like http://Base_URL/rest/api/1.0/menus/home_link will return a 500 error and an XML file containing a stack trace:

There is an existent feature request for this issue: JRASERVER-73283

Oops - an error has occurred

The "Sorry, we had some technical problems during your last operation" webpage will also output a stack trace in the screen.