What is considered good practice for application security wise when returning errors from a backend API?
I have inherited a project with a lot of technical debt, which I intend to improve.
One noticeable problem is that error codes are not informative at all. Sometimes it gives a 500 “error”, with no further. Sometimes it gives a 200 with an error in the JSON. Sometimes it returns a 403 not authorized which is nicer.
I want to make debugging easier, so giving more information in the error would be useful, but I wonder if there are security considerations to take into account when returning more information in error responses.
Are codes considered better than informative messages? (Seems like security through obscurity).