500 responses indicate a server-side errors. By providing a definition, APIs can offer meaningful information about what went wrong. When API consumers encounter a 500 response, having a clear definition helps them understand the nature of the problem and whether it's something that would need addressing on the client side, or if it is an issue with the server. Including definitions for 500 responses in the API specifications promotes transparency and professionalism. It shows that the developers have considered various scenarios and are prepared to handle unexpected situations.
This rule applies at the API Specification level (OAS/Swagger).
Information Disclosure: In the absence of a 500 response, the server might disclose sensitive information such as configuration details or software versions through error messages. Attackers could use this information to identify any potential vulnerabilities or exploit misconfigurations.
