highInfrastructure

Debug Mode Enabled in Production

What Is This Vulnerability?

Running a production application with debug mode enabled exposes detailed error messages, stack traces, environment variables, database queries, and internal application state to anyone who encounters an error. Frameworks like Django, Laravel, Flask, and Express all have debug modes that reveal sensitive internals when triggered.

Why It Happens

Debug mode is essential during development for troubleshooting. Developers enable it locally and the setting gets committed to configuration files or environment templates. Some deployment scripts fail to override the debug flag for production. Environment variable defaults may be set to 'true' in code, and the production environment never explicitly sets them to 'false'.

Example Code

Vulnerablesettings.py
# settings.py
DEBUG = True
SECRET_KEY = "django-insecure-dev-key-12345"
ALLOWED_HOSTS = ["*"]

DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql",
        "NAME": "myapp_db",
        "USER": "admin",
        "PASSWORD": "admin123",
    }
}
Fixedsettings.py
import os

DEBUG = os.environ.get("DJANGO_DEBUG", "False").lower() == "true"
SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]
ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "").split(",")

DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql",
        "NAME": os.environ["DB_NAME"],
        "USER": os.environ["DB_USER"],
        "PASSWORD": os.environ["DB_PASSWORD"],
    }
}

How Hackers Exploit It

Attackers deliberately trigger errors (404 pages, malformed requests, SQL injection attempts) to view debug output. The information disclosed often includes source code paths, database connection strings, API keys, session secrets, and installed package versions. This reconnaissance data dramatically simplifies further attacks against the application.

How to Fix It

Always set debug mode to false in production environments. Use environment variables for all configuration with safe defaults (debug off). Implement custom error pages that hide internal details. Set up structured logging that captures debug information server-side without exposing it to users. Add deployment checks that verify debug mode is disabled.

Frequently Asked Questions

What information does debug mode expose?
Debug mode typically reveals full stack traces with source code, environment variables (which may include API keys and secrets), database query logs, request and response headers, installed package versions, file system paths, and the full application configuration. This gives attackers a detailed map of your internals.
How do I check if debug mode is on in production?
Trigger a 404 or 500 error and inspect the response. If you see a detailed error page with stack traces instead of a generic error page, debug mode is likely enabled. You can also check your deployment configuration files, environment variables, and use automated scanners that detect verbose error responses.
What is the safe default for debug settings?
Always default to debug being off (false/disabled). Require an explicit environment variable to enable it, and only set that variable in development environments. This ensures that if the configuration is missing or incomplete, the application runs in the more secure production mode.

Related Security Topics

Docker Socket Exposed to Containers

Learn about docker socket exposed to containers and how to fix it.

GraphQL Introspection Enabled in Production

Learn about graphql introspection enabled in production and how to fix it.

Overly Permissive AWS IAM Policies

Learn about overly permissive aws iam policies and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by debug mode enabled in production.