Allow to suppress Hot Chocolate specific error codes

[tobias-tengler]

Is your feature request related to a problem?

I'm just mirroring a request I saw on Slack here

Hot Chocolate adds additional error codes in the extensions of GraphQL errors, for example "HC0014" for syntax validation errors.
As an attacker I could send an invalid request and know that the GraphQL server I'm targeting is using Hot Chocolate, because of the custom error code I would receive.

The solution you'd like

Add a switch that allows to hide these HC specific error codes.

Product

Hot Chocolate

[michaelstaib]

This issue is more complex than you think ... we have put some work into this but have found that fingerprinting can also done with error messages. Also, you do not want to hide all error codes of Hot Chocolate. For instance the authentication error codes are useful for client flows.

I think, we leave this to the user to write an error filter and rewrite the errors.

What do you think?

[glen-84]

We're considering adding an IsInternal property to errors, to make it easier to filter out internal errors, but you'll still need to write the error filter yourself.