http: disable display_errors option by default

When option 'display_errors' is enabled httpd return application errors
and backtraces to the client (like PHP). It is unexpected that the
debugging information is sent to a client by default. It is usual to
have such option, but have it disabled by default: see Django's DEBUG
setting [1] for example.

1. https://docs.djangoproject.com/en/3.2/ref/settings/#debug

Part of tarantool/security#8

Author: ligurio

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Changed
+
+- Disable option display_errors by default.
+
 ## [1.1.1] - 2021-10-28
 
 ### Changed

README.md

@@ -123,7 +123,7 @@ httpd = require('http.server').new(host, port[, { options } ])
 * `charset` - the character set for server responses of
   type `text/html`, `text/plain` and `application/json`.
 * `display_errors` - return application errors and backtraces to the client
-  (like PHP).
+  (like PHP). Disabled by default (since 1.2.0).
 * `log_requests` - log incoming requests. This parameter can receive:
     - function value, supporting C-style formatting: log_requests(fmt, ...), where fmt is a format string and ... is Lua Varargs, holding arguments to be replaced in fmt.
     - boolean value, where `true` choose default `log.info` and `false` disable request logs at all.

http/server.lua

@@ -1289,7 +1289,7 @@ local exports = {
             cache_static        = true,
             log_requests        = true,
             log_errors          = true,
-            display_errors      = true,
+            display_errors      = false,
         }
 
         local self = {

test/integration/http_server_requests_test.lua

@@ -7,7 +7,9 @@ local helpers = require('test.helpers')
 local g = t.group()
 
 g.before_each(function()
-    g.httpd = helpers.cfgserv()
+    g.httpd = helpers.cfgserv({
+        display_errors = true,
+    })
     g.httpd:start()
 end)