"Why should you remove fatalsToBrowser in production? I didn't immediately make the connection when I first heard it and I'd been programming webapps for over a year by then ..." What I've always heard is "because an error message may give an 'evil hacker type' too much information". Someone else can probably elaborate as to how valid that is, I don't do much CGI/web stuff. (A rails app every now and then, that's it).