From 8b04893ceb562631c7b1afff6c39114899ee3391 Mon Sep 17 00:00:00 2001
From: dailz <dailz@192.168.1.254>
Date: Sat, 6 Jun 2026 21:22:57 +0800
Subject: [PATCH] fix(security): remove error details from HTTP 500 response
 (#12)

The 500 error response previously included the raw error message {e}
in the body, potentially leaking internal implementation details (SDP
parse errors, ICE candidate info) to clients.

The detailed error is already logged server-side via tracing::error!,
so the response body is now a fixed generic string with a proper
HTTP/1.1 status line.
---
 src/webrtc.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/webrtc.rs b/src/webrtc.rs
index a099c2e..380d315 100644
--- a/src/webrtc.rs
+++ b/src/webrtc.rs
@@ -210,7 +210,7 @@ impl WebRtcState {
                     }
                     Err(e) => {
                         tracing::error!("SDP offer handling failed: {e}");
-                        let resp = format!("HTTP/1.1 500 Error\r\nConnection: close\r\n\r\n{e}");
+                        let resp = "HTTP/1.1 500 Internal Server Error\r\nConnection: close\r\n\r\n";
                         let _ = stream.write_all(resp.as_bytes());
                     }
                 }