The spec for Error Response says:
The value for the innererror name/value pair MUST be an object. The contents of this object are service-defined. Usually this object contains information that will help debug the service. The innererror name/value pair SHOULD only be used in development environments in order to guard against potential security concerns around information disclosure.
The spec is right, in asp.net the innererror property gives a useful info such as the stacktrace, but I really don't want to share this info with my API clients
As of yet, I haven't found a way of removing this property from the response, is it even possible?
Yes, it is possible, but is quite cumbersome.
You need to do four things:
Firstly, you should derive your own OData error serializer from the default implementation. The difference from the default ODataErrorSerializer will be to override the method containing the following code:
bool includeDebugInformation = oDataError.InnerError != null;
Change it to
bool includeDebugInformation = oDataError.InnerError == null;
or simply setting the value to false in your overridden implementation. Let's say your own OData error serializer is called MyODataErrorSerializer.
Then you need to derive your own OData serializer provider from the default one. The difference from the DefaultODataSerializerProvider will be to change the following code:
private static readonly ODataErrorSerializer _errorSerializer = new ODataErrorSerializer();
to your own error serializer:
private static readonly ODataErrorSerializer _errorSerializer = new MyODataErrorSerializer();
Let's say your own serializer provider is called MyODataSerializerProvider.
After that, do the similar thing to ODataMediaTypeFormatters. Derive a MyODataMediaTypeFormatters from DefaultODataMediaTypeFormatters which uses MyODataSerializerProvider instead of DefaultODataSerializerProvider.
Finally, add the following code to your Web API OData implementation:
config.Formatters.InsertRange(0, ODataMediaTypeFormatters.Create());